Cisco ASA 5580 Getting Started Guide - Digitcom
Cisco ASA 5580 Getting Started Guide - Digitcom
Cisco ASA 5580 Getting Started Guide - Digitcom
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong><br />
<strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
Software Version 8.1<br />
Americas Headquarters<br />
<strong>Cisco</strong> Systems, Inc.<br />
170 West Tasman Drive<br />
San Jose, CA 95134-1706<br />
USA<br />
http://www.cisco.com<br />
Tel: 408 526-4000<br />
800 553-NETS (6387)<br />
Fax: 408 527-0883<br />
Customer Order Number: DOC-7818101=<br />
Text Part Number: 78-18101-01
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT<br />
NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT<br />
ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR<br />
THEIR APPLICATION OF ANY PRODUCTS.<br />
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION<br />
PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO<br />
LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.<br />
The <strong>Cisco</strong> implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as<br />
part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.<br />
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE<br />
PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED<br />
OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND<br />
NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.<br />
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL<br />
DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR<br />
INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH<br />
DAMAGES.<br />
CCVP, the <strong>Cisco</strong> logo, and Welcome to the Human Network are trademarks of <strong>Cisco</strong> Systems, Inc.; Changing the Way We Work, Live, Play, and<br />
Learn is a service mark of <strong>Cisco</strong> Systems, Inc.; and Access Registrar, Aironet, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, <strong>Cisco</strong>,<br />
the <strong>Cisco</strong> Certified Internetwork Expert logo, <strong>Cisco</strong> IOS, <strong>Cisco</strong> Press, <strong>Cisco</strong> Systems, <strong>Cisco</strong> Systems Capital, the <strong>Cisco</strong> Systems logo, <strong>Cisco</strong> Unity,<br />
Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient,<br />
IOS, iPhone, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, LightStream, Linksys, MeetingPlace, MGX, Networkers,<br />
Networking Academy, Network Registrar, PIX, ProConnect, ScriptShare, SMARTnet, StackWise, The Fastest Way to Increase Your Internet<br />
Quotient, and TransPath are registered trademarks of <strong>Cisco</strong> Systems, Inc. and/or its affiliates in the United States and certain other countries.<br />
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply<br />
a partnership relationship between <strong>Cisco</strong> and any other company. (0711R)<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
© 2007 <strong>Cisco</strong> Systems, Inc. All rights reserved.
CONTENTS<br />
CHAPTER 1 Before You Begin 1-1<br />
CHAPTER 2 Maximizing Throughput on the <strong>ASA</strong> <strong>5580</strong> 2-1<br />
Network Interfaces 2-1<br />
Expansion Boards 2-2<br />
Supported PCI Cards 2-5<br />
Optimizing Performance 2-6<br />
What to Do Next 2-8<br />
CHAPTER 3 Installing the <strong>ASA</strong> <strong>5580</strong> 3-1<br />
Verifying the Package Contents 3-1<br />
Installing the Chassis 3-3<br />
Rack-Mounting the Chassis 3-3<br />
Ports and LEDs 3-13<br />
Front Panel LEDs 3-13<br />
Rear Panel LEDs and Ports 3-16<br />
Connecting Interface Cables 3-20<br />
What to Do Next 3-24<br />
CHAPTER 4 Configuring the Adaptive Security Appliance 4-1<br />
About the Factory Default Configuration 4-1<br />
Using the CLI for Configuration 4-2<br />
Using the Adaptive Security Device Manager for Configuration 4-2<br />
78-18101-01<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
3
Contents<br />
Preparing to Use ASDM 4-3<br />
Gathering Configuration Information for Initial Setup 4-4<br />
Installing the ASDM Launcher 4-5<br />
Starting ASDM with a Web Browser 4-7<br />
Running the ASDM Startup Wizard 4-8<br />
What to Do Next 4-9<br />
CHAPTER 5 Scenario: Configuring Connections for a <strong>Cisco</strong> AnyConnect VPN Client 5-1<br />
About SSL VPN Client Connections 5-1<br />
Obtaining the <strong>Cisco</strong> AnyConnect VPN Client Software 5-2<br />
Example Topology Using AnyConnect SSL VPN Clients 5-3<br />
Implementing the <strong>Cisco</strong> SSL VPN Scenario 5-3<br />
Information to Have Available 5-4<br />
Starting ASDM 5-5<br />
Configuring the <strong>ASA</strong> <strong>5580</strong> for the <strong>Cisco</strong> AnyConnect VPN Client 5-6<br />
Specifying the SSL VPN Interface 5-7<br />
Specifying a User Authentication Method 5-8<br />
Specifying a Group Policy 5-10<br />
Configuring the <strong>Cisco</strong> AnyConnect VPN Client 5-11<br />
Verifying the Remote-Access VPN Configuration 5-13<br />
What to Do Next 5-14<br />
CHAPTER 6 Scenario: SSL VPN Clientless Connections 6-1<br />
About Clientless SSL VPN 6-1<br />
Security Considerations for Clientless SSL VPN Connections 6-2<br />
Example Network with Browser-Based SSL VPN Access 6-3<br />
Implementing the Clientless SSL VPN Scenario 6-4<br />
Information to Have Available 6-5<br />
Starting ASDM 6-5<br />
4<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
78-18101-01
Contents<br />
Configuring the <strong>ASA</strong> <strong>5580</strong> for Browser-Based SSL VPN Connections 6-7<br />
Specifying the SSL VPN Interface 6-8<br />
Specifying a User Authentication Method 6-10<br />
Specifying a Group Policy 6-11<br />
Creating a Bookmark List for Remote Users 6-12<br />
Verifying the Configuration 6-16<br />
What to Do Next 6-18<br />
CHAPTER 7 Scenario: Site-to-Site VPN Configuration 7-1<br />
Example Site-to-Site VPN Network Topology 7-1<br />
Implementing the Site-to-Site Scenario 7-2<br />
Information to Have Available 7-3<br />
Configuring the Site-to-Site VPN 7-3<br />
Starting ASDM 7-3<br />
Configuring the Adaptive Security Appliance at the Local Site 7-5<br />
Providing Information About the Remote VPN Peer 7-6<br />
Configuring the IKE Policy 7-8<br />
Configuring IPsec Encryption and Authentication Parameters 7-9<br />
Specifying Hosts and Networks 7-10<br />
Viewing VPN Attributes and Completing the Wizard 7-12<br />
Configuring the Other Side of the VPN Connection 7-13<br />
What to Do Next 7-13<br />
CHAPTER 8 Scenario: IPsec Remote-Access VPN Configuration 8-1<br />
Example IPsec Remote-Access VPN Network Topology 8-1<br />
Implementing the IPsec Remote-Access VPN Scenario 8-2<br />
Information to Have Available 8-3<br />
Starting ASDM 8-3<br />
Configuring an IPsec Remote-Access VPN 8-5<br />
78-18101-01<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
5
Contents<br />
Selecting VPN Client Types 8-6<br />
Specifying the VPN Tunnel Group Name and Authentication Method 8-7<br />
Specifying a User Authentication Method 8-9<br />
(Optional) Configuring User Accounts 8-10<br />
Configuring Address Pools 8-11<br />
Configuring Client Attributes 8-13<br />
Configuring the IKE Policy 8-14<br />
Configuring IPsec Encryption and Authentication Parameters 8-15<br />
Specifying Address Translation Exception and Split Tunneling 8-16<br />
Verifying the Remote-Access VPN Configuration 8-18<br />
What to Do Next 8-19<br />
APPENDIX A Obtaining a 3DES/AES License A-1<br />
I NDEX<br />
6<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
78-18101-01
CHAPTER<br />
1<br />
Before You Begin<br />
Use the following table to find the installation and configuration steps that are<br />
required for your implementation of the <strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> adaptive security<br />
appliance.<br />
To Do This...<br />
See...<br />
Install the chassis Chapter 3, “Installing the <strong>ASA</strong> <strong>5580</strong>”<br />
Connect interface cables Chapter 3, “Installing the <strong>ASA</strong> <strong>5580</strong>”<br />
Perform initial setup of the adaptive<br />
security appliance<br />
Configure the adaptive security appliance<br />
for your implementation<br />
Chapter 4, “Configuring the Adaptive<br />
Security Appliance”<br />
<strong>Cisco</strong> ASDM User <strong>Guide</strong><br />
Chapter 5, “Scenario: Configuring<br />
Connections for a <strong>Cisco</strong> AnyConnect<br />
VPN Client”<br />
Chapter 6, “Scenario: SSL VPN<br />
Clientless Connections”<br />
Chapter 7, “Scenario: Site-to-Site<br />
VPN Configuration”<br />
Chapter 8, “Scenario: IPsec<br />
Remote-Access VPN Configuration”<br />
78-18101-01<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
1-1
Chapter 1<br />
Before You Begin<br />
To Do This...<br />
Configure optional and advanced feature<br />
Operate the system on a daily basis<br />
See...<br />
<strong>Cisco</strong> Security Appliance Command<br />
Line Configuration <strong>Guide</strong><br />
<strong>Cisco</strong> Security Appliance Command<br />
Reference<br />
<strong>Cisco</strong> Security Appliance Logging<br />
Configuration and System Log<br />
Messages<br />
<strong>Cisco</strong> ASDM User <strong>Guide</strong><br />
1-2<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
78-18101-01
CHAPTER<br />
2<br />
Maximizing Throughput on the <strong>ASA</strong><br />
<strong>5580</strong><br />
The <strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> adaptive security appliance is designed to deliver maximum<br />
throughput when configured according to the guidelines described in this chapter.<br />
This chapter includes the following sections:<br />
• Network Interfaces, page 2-1<br />
• Optimizing Performance, page 2-6<br />
• What to Do Next, page 2-8<br />
Network Interfaces<br />
The <strong>ASA</strong> <strong>5580</strong> has two built-in Gigabit Ethernet network ports and nine<br />
expansion slots. The network ports are numbered 0 through 4 from the top to the<br />
bottom. The expansion slot numbers increase from right to left.<br />
The two built-in Gigabit Ethernet ports are used for management and are called<br />
Management0/0 and Management0/1.<br />
The <strong>ASA</strong> <strong>5580</strong> has nine interface expansion slots. Slots 1, 2, and 9 are reserved.<br />
Slot 1 is populated by the crypto accelerator and is not available for use by<br />
network interface cards. Slot 2 is reserved to future use.<br />
You can populate slots 3 through 8 with supported network interface cards.<br />
78-18101-01<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
2-1
Network Interfaces<br />
Chapter 2 Maximizing Throughput on the <strong>ASA</strong> <strong>5580</strong><br />
The appliance has two I/O bridges and the I/O slots connect to one of the two<br />
buses. The management ports and adapters in slot 3, slot 4, slot 5, and slot 6 are<br />
on I/O bridge 1 and slot 7 and slot 8 are on I/O bridge 2.<br />
Figure 2-1 shows the embedded ports and slots on the <strong>ASA</strong> <strong>5580</strong>.<br />
Figure 2-1 Embedded Ports and Slots on the <strong>ASA</strong> <strong>5580</strong><br />
1 2<br />
3 4<br />
PS2<br />
PCI-E x4 PCI-E x8 PCI-E x4 PCI-E x8 PCI-E x4 PCI-X 100 MHz<br />
9 8 7 6 5 4 3 2 1<br />
PS1<br />
UID<br />
CONSOLE<br />
MGMT0/1<br />
MGMT0/0<br />
241226<br />
5 6 7 8 9 10<br />
Expansion Boards<br />
1 Power supply 2 Interface expansion slots<br />
3 Power supply 4 T-15 Torx screwdriver<br />
5 USB ports 6 Reserved slot<br />
7 Example of a populated slot 8 Reserved slot<br />
9 Console port 10 Management ports<br />
Slot 1, slot 2, and slot 9 are reserved. Slots 3 through 9 are PCI-Express slots.<br />
The adaptive security appliance has two internal I/O bridges providing copper<br />
Gigabit Ethernet and fiber Gigabit Ethernet connectivity.<br />
2-2<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
78-18101-01
Chapter 2 Maximizing Throughput on the <strong>ASA</strong> <strong>5580</strong><br />
Network Interfaces<br />
Slots 5, 7, and 8 utilize a high-capacity bus (PCIe x8) and slot 3, slot 4, and slot<br />
6 utilize a PCIe x4 bus for slots.<br />
Figure 2-2 shows the interface expansion slots available on the <strong>ASA</strong> <strong>5580</strong>.<br />
Slot<br />
Description<br />
1 PCI-X non-hot-plug reserved slot, 64-bit/100-MHz<br />
2 PCI-X non-hot-plug reserved slot, 64-bit/100-MHz<br />
3 PCI Express x4 non-hot-plug expansion slot<br />
4 PCI Express x4 non-hot-plug expansion slot<br />
5 PCI Express x8 non-hot-plug expansion slot<br />
6 PCI Express x4 non-hot-plug expansion slot<br />
7 PCI Express x8 non-hot-plug expansion slot<br />
8 PCI Express x8 non-hot-plug expansion slot<br />
9 PCI Express x4 non-hot-plug reserved slot<br />
78-18101-01<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
2-3
Network Interfaces<br />
Chapter 2 Maximizing Throughput on the <strong>ASA</strong> <strong>5580</strong><br />
Figure 2-2<br />
Interface Expansion Slots<br />
1 2<br />
3<br />
4<br />
5<br />
6<br />
7<br />
241974<br />
1, 3 Power supply<br />
4, 5, 7 Fans<br />
6 Diagnostic panel<br />
2-4<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
78-18101-01
Chapter 2 Maximizing Throughput on the <strong>ASA</strong> <strong>5580</strong><br />
Network Interfaces<br />
Supported PCI Cards<br />
The <strong>ASA</strong> <strong>5580</strong> supports the following PCI cards:<br />
• 4-Port Gigabit Ethernet Copper PCI card<br />
Provides four 10/100/1000BASE-T interfaces, which allow up to 24 total<br />
Gigabit Ethernet interfaces. Figure 2-3 shows the Gigabit Ethernet interface<br />
card.<br />
Figure 2-3<br />
4-Port Gigabit Ethernet Copper PCI Card<br />
153325<br />
• 2-Port 10-Gigabit Ethernet Fiber PCI card<br />
Provides two 10000BASE-SX (fiber) interfaces (allowing up to 12 total<br />
10-Gigabit Ethernet fiber interfaces in a fully populated chassis).<br />
The card ports require a multi-mode fiber cable with an LC connector to<br />
connect to the SX interface of the sensor. Figure 2-4 shows the 2-Port<br />
10-Gigabit Ethernet Fiber PCI card.<br />
78-18101-01<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
2-5
Optimizing Performance<br />
Chapter 2 Maximizing Throughput on the <strong>ASA</strong> <strong>5580</strong><br />
Figure 2-4<br />
2-Port 10-Gigabit Ethernet Fiber PCI Card<br />
190474<br />
• 4-Port Gigabit Ethernet Fiber PCI card<br />
Provides four 10000BASE-SX (fiber) interfaces (allowing up to 24 total<br />
Gigabit Ethernet fiber interfaces in a fully populated chassis).<br />
The card ports require a multi-mode fiber cable with an LC connector to<br />
connect to the SX interface of the sensor.<br />
Optimizing Performance<br />
To maximize traffic throughput, ensure that the traffic flow and the hardware<br />
configuration of the adaptive security appliance matches the following guidelines:<br />
• Ideal performance is achieved when traffic enters and exits ports on the same<br />
adapter or ports on adapters serviced by the same I/O bridge.<br />
The <strong>ASA</strong> <strong>5580</strong> has two I/O bridges and the I/O slots connect to one of the two<br />
I/O bridges. The adapters in slot 3, slot 4, slot 5, and slot 6 are on one I/O<br />
bridge and slot 7 and slot 8 are on the other I/O bridge.<br />
The optimal performance will be achieved if traffic does not traverse both I/O<br />
bridges. Specifically, the traffic should flow between ports on adapters on the<br />
same bus.<br />
Configure traffic to traverse the ports on the adapters in slot 7 and 8 for<br />
optimal performance for that traffic. Configure traffic to remain on ports on<br />
adapters in slots 3 through 6. See Figure 2-5 for an example of traffic<br />
configured to traverse ports on slot 7 and slot 8 on the high-capacity I/O<br />
bridge (PCIe x8).<br />
2-6<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
78-18101-01
Chapter 2 Maximizing Throughput on the <strong>ASA</strong> <strong>5580</strong><br />
Optimizing Performance<br />
• If using 10-Gigabit Ethernet adapters, which require optimal performance<br />
from the adapters, place the adapters in a slot on the high-capacity I/O bridge<br />
(PCIe X8)—slot 5, slot 7, and slot 8.<br />
Note<br />
A 10-Gigabit Ethernet adapter and port can deliver 10-Gigabit<br />
Ethernet full-duplex on one port given the right traffic profile. The<br />
bus bandwidth limits the 10-Gigabit Ethernet two-port performance<br />
on the same adapter to under 16 Gbps full-duplex.<br />
• Four-port adapters can be placed in any slot, but the bus might be a bottleneck<br />
if each port has 1 Gigabit full duplex worth of traffic. The bus bandwidth on<br />
the normal speed bus limits the aggregate bandwidth on one adapter to under<br />
8 Gbps.<br />
Note<br />
You can use the show io-bridge command to see the traffic<br />
throughput over each bus. For more information about using the<br />
command, see the <strong>Cisco</strong> Security Appliance Command Reference.<br />
• The management ports are capable of passing through traffic by removing the<br />
management-only command. However, the management only ports have not<br />
been optimized to pass data traffic and will not perform as well as the ports<br />
on the adapters.<br />
Figure 2-5 shows an example of traffic configured to traverse ports on slot 7 and<br />
slot 8 on the high-capacity I/O bridge (PCIe x8).<br />
78-18101-01<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
2-7
What to Do Next<br />
Chapter 2 Maximizing Throughput on the <strong>ASA</strong> <strong>5580</strong><br />
Figure 2-5<br />
Example of Traffic Flow for Optimum Performance<br />
Maximum<br />
throughput<br />
PS2<br />
PCI-E x4 PCI-E x8 PCI-E x4 PCI-E x8 PCI-E x4 PCI-X 100 MHz<br />
9 8 7 6 5 4 3 2 1<br />
PS1<br />
UID CONSOLE MGMT0/1 MGMT0/0 1<br />
241229<br />
Incoming and<br />
outgoing traffic<br />
What to Do Next<br />
Continue with Chapter 3, “Installing the <strong>ASA</strong> <strong>5580</strong>.”<br />
2-8<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
78-18101-01
CHAPTER<br />
3<br />
Installing the <strong>ASA</strong> <strong>5580</strong><br />
Caution<br />
Read the safety warnings in the Regulatory Compliance and Safety Information<br />
for the <strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> Adaptive Security Appliance and follow proper safety<br />
procedures when performing these steps.<br />
Warning<br />
Only trained and qualified personnel should install, replace, or service this<br />
equipment. Statement 49<br />
This chapter describes the adaptive security appliance and rack-mount and<br />
installation procedures for the adaptive security appliance. This chapter includes<br />
the following sections:<br />
• Verifying the Package Contents, page 3-1<br />
• Installing the Chassis, page 3-3<br />
• Ports and LEDs, page 3-13<br />
• Connecting Interface Cables, page 3-20<br />
• What to Do Next, page 3-24<br />
Verifying the Package Contents<br />
Verify the contents of the packing box, shown in Figure 3-1, to ensure that you<br />
have received all items necessary to install the <strong>ASA</strong> <strong>5580</strong>.<br />
78-18101-01<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
3-1
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> SERIES<br />
Adaptive Security Appliance<br />
UID<br />
Verifying the Package Contents<br />
Chapter 3 Installing the <strong>ASA</strong> <strong>5580</strong><br />
Figure 3-1<br />
Contents of <strong>ASA</strong> <strong>5580</strong> Package<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> adaptive<br />
security appliance<br />
1 2 3 4 5 6 7 8<br />
SYSTEM<br />
PWR STATUS<br />
MGMT 0<br />
MGMT 1<br />
Safety and<br />
Compliance<br />
<strong>Guide</strong><br />
<strong>Cisco</strong> <strong>ASA</strong><br />
<strong>5580</strong> Adaptive<br />
Security Appliance<br />
Product CD<br />
Yellow Ethernet cable<br />
Documentation<br />
RJ-45 to<br />
DB-9 adapter<br />
Blue console cable<br />
PC terminal adapter<br />
241232<br />
In addition to the contents shown in Figure 3-1, the contents of <strong>ASA</strong> <strong>5580</strong><br />
package include the rail system kit. The rail system kit contains the following<br />
items:<br />
• Two slide assemblies<br />
• Two chassis rails<br />
• Four Velcro straps<br />
• Six zip ties<br />
• One cable management arm<br />
• A package of miscellaneous parts (screws, and so forth)<br />
• One cable management arm stop bracket<br />
3-2<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
78-18101-01
Chapter 3 Installing the <strong>ASA</strong> <strong>5580</strong><br />
Installing the Chassis<br />
Installing the Chassis<br />
This section describes how to rack-mount and install the adaptive security<br />
appliance.<br />
Warning<br />
To prevent bodily injury when mounting or servicing this unit in a rack, you must<br />
take special precautions to ensure that the system remains stable. The<br />
following guidelines are provided to ensure your safety.<br />
The following information can help plan equipment rack installation:<br />
• Allow clearance around the rack for maintenance.<br />
• When mounting a device in an enclosed rack ensure adequate ventilation. An<br />
enclosed rack should never be overcrowded. Make sure that the rack is not<br />
congested, because each unit generates heat.<br />
• When mounting a device in an open rack, make sure that the rack frame does<br />
not block the intake or exhaust ports.<br />
• If the rack contains only one unit, mount the unit at the bottom of the rack.<br />
• If the rack is partially filled, load the rack from the bottom to the top, with the<br />
heaviest component at the bottom of the rack.<br />
• If the rack contains stabilizing devices, install the stabilizers prior to<br />
mounting or servicing the unit in the rack.<br />
Warning<br />
Before performing any of the following procedures, ensure that the power<br />
source is off. (AC or DC). To ensure that power is removed from the DC circuit,<br />
locate the circuit breaker on the panel board that services the DC circuit,<br />
switch the circuit breaker to the OFF position, and tape the switch handle of the<br />
circuit breaker in the OFF position.<br />
Rack-Mounting the Chassis<br />
Warning<br />
To prevent bodily injury when mounting or servicing this unit in a rack, you must<br />
take special precautions to ensure that the system remains stable. The<br />
following guidelines are provided to ensure your safety:<br />
78-18101-01<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
3-3
<strong>Cisco</strong> IPS 4270 SERIES<br />
Intrusion Prevention Sensor<br />
Installing the Chassis<br />
Chapter 3 Installing the <strong>ASA</strong> <strong>5580</strong><br />
This unit should be mounted at the bottom of the rack if it is the only unit in the<br />
rack.<br />
When mounting this unit in a partially filled rack, load the rack from the bottom<br />
to the top with the heaviest component at the bottom of the rack.<br />
If the rack is provided with stabilizing devices, install the stabilizers before<br />
mounting or servicing the unit in the rack. Statement 1006<br />
This procedure requires two or more people to position the adaptive security<br />
appliance on the slide assemblies before pushing it in to the rack.<br />
To install the adaptive security appliance in the rack, perform the following steps:<br />
Step 1<br />
Attach the chassis side rail to the adaptive security appliance by aligning the<br />
chassis rail to the stud on the adaptive security appliance, pressing the chassis side<br />
rail in to the stud, and then sliding the chassis side rail backwards until you hear<br />
the latch catch, as shown in Figure 3-2.<br />
Figure 3-2<br />
Chassis Side Rail Attachment<br />
1 2 3 4 5 6 7 8<br />
UID<br />
SYSTEM<br />
PWR STATUS<br />
MGMT 0<br />
MGMT 1<br />
201990<br />
Note<br />
The tapered end of the chassis side rail should be at the back of the<br />
adaptive security appliance. The chassis side rail is held in place by the<br />
inner latch.<br />
Step 2<br />
Repeat Step 1 for each chassis side rail.<br />
3-4<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
78-18101-01
<strong>Cisco</strong> IPS 4270 SERIES<br />
Intrusion Prevention Sensor<br />
Chapter 3 Installing the <strong>ASA</strong> <strong>5580</strong><br />
Installing the Chassis<br />
Step 3<br />
To remove the chassis side rail, lift the latch, and slide the rail forward, as shown<br />
in Figure 3-3.<br />
Figure 3-3<br />
Removal from the Chassis Side Rail<br />
1 2 3 4 5 6 7 8<br />
UID<br />
SYSTEM<br />
PWR STATUS<br />
MGMT 0<br />
MGMT 1<br />
250120<br />
2<br />
1<br />
Step 4<br />
If you are installing the adaptive security appliance in a shallow rack, one that is<br />
less than 28.5 in. (72.39 cm), remove the screw from the inside of the slide<br />
assembly before continuing with Step 5, as shown in Figure 3-4.<br />
78-18101-01<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
3-5
Installing the Chassis<br />
Chapter 3 Installing the <strong>ASA</strong> <strong>5580</strong><br />
Figure 3-4<br />
Screw Inside the Slide Assembly<br />
< 28.5”<br />
201991<br />
Step 5 Attach the slide assemblies to the rack, as shown in Figure 3-5.<br />
3-6<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
78-18101-01
Chapter 3 Installing the <strong>ASA</strong> <strong>5580</strong><br />
Installing the Chassis<br />
• For round- and square-hole racks:<br />
a. Line up the studs on the slide assembly with the holes on the inside of the rack<br />
and snap into place.<br />
b. Adjust the slide assembly lengthwise to fit the rack.<br />
The spring latch locks the slide assembly into position.<br />
Figure 3-5<br />
Slide Assembly Attachment<br />
2<br />
3<br />
1<br />
1<br />
201992<br />
78-18101-01<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
3-7
Installing the Chassis<br />
Chapter 3 Installing the <strong>ASA</strong> <strong>5580</strong><br />
c. Repeat for each slide assembly.<br />
Make sure the slide assemblies line up with each other in the rack.<br />
d. Lift the spring latch to release the slide assembly if you need to reposition it.<br />
• For threaded-hole racks:<br />
a. Remove the eight round- or square-hole studs on each slide assembly using a<br />
standard screwdriver, as shown in Figure 3-6.<br />
Note<br />
You may need a pair of pliers to hold the retaining nut.<br />
3-8<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
78-18101-01
Chapter 3 Installing the <strong>ASA</strong> <strong>5580</strong><br />
Installing the Chassis<br />
Figure 3-6<br />
Attachment in Threaded Hole Racks<br />
2<br />
3<br />
3<br />
2<br />
1<br />
201993<br />
b. Line up the bracket on the slide assembly with the rack holes, install two<br />
screws (top and bottom) on each end of the slide assembly, as shown in<br />
Figure 3-7.<br />
78-18101-01<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
3-9
Installing the Chassis<br />
Chapter 3 Installing the <strong>ASA</strong> <strong>5580</strong><br />
Figure 3-7<br />
Lining up the Bracket<br />
1<br />
201994<br />
c. Repeat for each slide assembly.<br />
Step 6 Extend the slide assemblies out of the rack, as shown in Figure 3-8.<br />
3-10<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
78-18101-01
Chapter 3 Installing the <strong>ASA</strong> <strong>5580</strong><br />
Installing the Chassis<br />
Figure 3-8<br />
Slide Assemblies Extended<br />
201995<br />
Step 7<br />
Align the chassis side rails on the adaptive security appliance with the slide<br />
assembly on both sides of the rack, release the blue slide tab (by either pulling the<br />
tab forward or pushing the tab back), and carefully push the adaptive security<br />
appliance in to place, as shown in Figure 3-9.<br />
78-18101-01<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
3-11
<strong>Cisco</strong> IPS 4270 SERIES<br />
Intrusion Prevention Sensor<br />
UID<br />
Installing the Chassis<br />
Chapter 3 Installing the <strong>ASA</strong> <strong>5580</strong><br />
Warning<br />
When installing a adaptive security appliance in an empty rack, you must<br />
support the adaptive security appliance from the front until the blue slide tabs<br />
are activated and the adaptive security appliance is pushed completely in to the<br />
rack, or the rack can tip.<br />
Figure 3-9<br />
Alignment of the Chassis Side Rails<br />
1 2 3 4 5 6 7 8<br />
SYSTEM<br />
PWR STATUS<br />
MGMT 0<br />
MGMT 1<br />
201996<br />
3-12<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
78-18101-01
Chapter 3 Installing the <strong>ASA</strong> <strong>5580</strong><br />
Ports and LEDs<br />
Caution<br />
Keep the adaptive security appliance parallel to the floor as you slide it into the<br />
rails. Tilting the adaptive security appliance up or down can damage the slide<br />
rails.<br />
Ports and LEDs<br />
This section describes the front and rear panels. This section includes the<br />
following topics:<br />
• Front Panel LEDs, page 3-13<br />
• Rear Panel LEDs and Ports, page 3-16<br />
Front Panel LEDs<br />
Figure 3-10 shows the LEDs on the front panel of the adaptive security appliance.<br />
78-18101-01<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
3-13
Ports and LEDs<br />
Chapter 3 Installing the <strong>ASA</strong> <strong>5580</strong><br />
Figure 3-10<br />
Front View<br />
1<br />
2<br />
4 3 5<br />
6<br />
1 2 3 4 5 6 7 8<br />
<strong>Cisco</strong> IPS 4270 SERIES<br />
Intrusion Prevention Sensor<br />
UID<br />
SYSTEM<br />
PWR STATUS<br />
MGMT 0<br />
MGMT 1<br />
241233<br />
1 Active LED 2 System LED<br />
3 Power Status LED 4 Management 0/0 LED<br />
5 Management 0/1 LED 6 Power<br />
Table 3-1 describes the front panel switches and indicators on the <strong>ASA</strong> <strong>5580</strong>.<br />
3-14<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
78-18101-01
Chapter 3 Installing the <strong>ASA</strong> <strong>5580</strong><br />
Ports and LEDs<br />
Table 3-1<br />
Front Panel Switches and Indicators<br />
Indicator<br />
Active<br />
System indicator<br />
Power status<br />
indicator<br />
MGMT0/0 indicator<br />
Description<br />
Toggles between Active and Standby Failover status of<br />
the chassis:<br />
• On—Failover active<br />
• Off—Standby Status<br />
Indicates internal system health:<br />
• Green—System on<br />
• Flashing amber—System health degraded<br />
• Flashing red—System health critical<br />
• Off—System off<br />
Indicates the power supply status:<br />
• Green—Power supply on<br />
• Flashing amber—Power supply health degraded<br />
• Flashing red—Power supply health critical<br />
• Off—Power supply off<br />
Indicates the status of the management port:<br />
• Green—Linked to network<br />
• Flashing green—Linked with activity on the<br />
network<br />
• Off—No network connection<br />
78-18101-01<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
3-15
Ports and LEDs<br />
Chapter 3 Installing the <strong>ASA</strong> <strong>5580</strong><br />
Table 3-1<br />
Front Panel Switches and Indicators (continued)<br />
Indicator<br />
MGMT0/1 indicator<br />
Power switch and<br />
indicator<br />
Description<br />
Indicates the status of the management port:<br />
• Green—Linked to network<br />
• Flashing green—Linked with activity on the<br />
network<br />
• Off—No network connection<br />
Turns power on and off:<br />
• Amber—System has AC power and is in standby<br />
mode<br />
• Green—System has AC power and is turned on<br />
• Off—System has no AC power<br />
For more information on the Management Port, see the management-only<br />
command in the <strong>Cisco</strong> Security Appliance Command Reference.<br />
Rear Panel LEDs and Ports<br />
Figure 3-11 shows the rear panel LEDs and ports.<br />
3-16<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
78-18101-01
Chapter 3 Installing the <strong>ASA</strong> <strong>5580</strong><br />
Ports and LEDs<br />
Figure 3-11<br />
Back Panel Features<br />
1 2<br />
3 4<br />
PS2<br />
PCI-E x4 PCI-E x8 PCI-E x4 PCI-E x8 PCI-E x4 PCI-X 100 MHz<br />
9 8 7 6 5 4 3 2 1<br />
PS1<br />
UID<br />
CONSOLE<br />
MGMT0/1<br />
MGMT0/0<br />
241226<br />
5 6 7 8 9 10<br />
1 Power supply 2 Interface expansion slots<br />
3 Power supply 4 T-15 Torx screwdriver<br />
5 USB ports 6 Reserved slot<br />
7 Example of a populated slot 8 Reserved slot<br />
9 Console port 10 Management ports<br />
78-18101-01<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
3-17
Ports and LEDs<br />
Chapter 3 Installing the <strong>ASA</strong> <strong>5580</strong><br />
Figure 3-12 shows the activity indicators on the Ethernet ports, which has two<br />
indicators per port and the power supply indicators.<br />
Figure 3-12<br />
Rear Panel LEDs<br />
PS2<br />
PCI-E x4 PCI-E x8 PCI-E x4 PCI-E x8 PCI-E x4 PCI-X 100 MHz<br />
9 8 7 6 5 4 3 2 1<br />
2 3<br />
PS1<br />
UID<br />
CONSOLE<br />
MGMT0/1<br />
MGMT0/0<br />
241230<br />
1<br />
1 Power indicator 2 Link indicator<br />
3 Activity indicator<br />
Table 3-2 describes the Ethernet port indicators. The behavior of the port<br />
indicators varies based on the type of port—management port, port in a Gigabit<br />
Ethernet interface card, port in a 10-Gigabit Ethernet Fiber interface card, or a<br />
port in a Gigabit Ethernet Fiber interface card.<br />
3-18<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
78-18101-01
Chapter 3 Installing the <strong>ASA</strong> <strong>5580</strong><br />
Ports and LEDs<br />
Table 3-2<br />
Ethernet Port Indicators<br />
Indicator<br />
Gigabit Ethernet<br />
10-Gigabit Ethernet<br />
Fiber (one LED)<br />
Gigabit Ethernet Fiber<br />
(one LED)<br />
Management port<br />
Description<br />
Green (top): link to network<br />
Flashing Green (top): linked with activity on the<br />
network<br />
Amber (bottom): Speed 1000<br />
Green (bottom): Speed 100<br />
Off (bottom): Speed 10<br />
Green: link to network<br />
Flashing green: linked with activity on the network<br />
Green: link to network<br />
Flashing green: linked with activity on the network<br />
Green (right): link to network<br />
Flashing green (left): linked with activity on the<br />
network<br />
Note<br />
The indicator on the management ports show<br />
a green LED regardless of the negotiated<br />
speed (10/100/1000); however, the Gigabit<br />
Ethernet interface cards show an amber LED<br />
when a 1000 Mbps link is negotiated.<br />
Table 3-3 describes the power supply indicators.<br />
Table 3-3<br />
Power Supply Indicators<br />
Fail Indicator 1<br />
Amber<br />
Power Indicator 2<br />
Green<br />
Description<br />
Off Off No AC power to any power supply<br />
Flashing Off Power supply failure (over current)<br />
On Off No AC power to this power supply<br />
78-18101-01<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
3-19
Connecting Interface Cables<br />
Chapter 3 Installing the <strong>ASA</strong> <strong>5580</strong><br />
Table 3-3<br />
Power Supply Indicators (continued)<br />
Fail Indicator 1<br />
Amber<br />
Power Indicator 2<br />
Green<br />
Description<br />
Off Flashing • AC power present<br />
• Standby mode<br />
Off On Normal<br />
Connecting Interface Cables<br />
This section describes how to connect the appropriate cables to the Console,<br />
Management, copper Ethernet, and fiber Ethernet ports.<br />
To connect cables to the network interfaces, perform the following steps:<br />
Step 1<br />
Step 2<br />
Place the chassis on a flat, stable surface, or in a rack (if you are rack-mounting it).<br />
Connect to the Management port.<br />
The adaptive security appliance has a dedicated interface for device management<br />
that is referred to as the Management0/0 port. The management ports<br />
(Management0/0 port and Management 0/1) are Fast Ethernet interfaces. The<br />
management ports are similar to the Console port, but they only accept traffic that<br />
is destined to-the-box (versus traffic that is through-the-box). Management0/0<br />
(MGMT0/0) is the command and control port.<br />
Note<br />
You can configure any interface to be a management-only interface using<br />
the management-only command. You can also disable management-only<br />
configuration mode on the management interface. For more information<br />
about this command, see the management-only command in the <strong>Cisco</strong><br />
Security Appliance Command Reference.<br />
a. Locate an Ethernet cable, which has an RJ-45 connector on each end.<br />
b. Connect one RJ-45 connector to the Management0/0 port, as shown in<br />
Figure 3-13.<br />
c. Connect the other end of the Ethernet cable to the Ethernet port on your<br />
computer or to your management network.<br />
3-20<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
78-18101-01
Chapter 3 Installing the <strong>ASA</strong> <strong>5580</strong><br />
Connecting Interface Cables<br />
Figure 3-13<br />
Connecting to the Management Port<br />
Interface<br />
expansion slots<br />
PS2<br />
PCI-E x4 PCI-E x8 PCI-E x4 PCI-E x8 PCI-E x4 PCI-X 100 MHz<br />
9 8 7 6 5 4 3 2 1<br />
PS1<br />
UID CONSOLE MGMT0/1 MGMT0/0 1<br />
241231<br />
Reserved<br />
Reserved<br />
RJ-45 to RJ-45<br />
Ethernet cable<br />
Caution<br />
Step 3<br />
Management and console ports are privileged administrative ports. Connecting<br />
them to an untrusted network can create security concerns.<br />
Connect to the Console port. Use the Console port to connect to a computer to<br />
enter configuration commands.<br />
a. Before connecting a computer or terminal to any ports, check to determine the<br />
baud rate of the serial port. The baud rate of the computer or terminal must<br />
match the default baud rate (9600 baud) of the Console port of the adaptive<br />
security appliance.<br />
Set up the terminal as follows: 9600 baud (default), 8 data bits, no parity, 1 stop<br />
bits, and Flow Control (FC) = Hardware.<br />
b. Connect the RJ-45 to a DB-9 adapter connector to the Console port and<br />
connect the other end to the DB-9 connector on your computer, as shown in<br />
Figure 3-14.<br />
78-18101-01<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
3-21
Connecting Interface Cables<br />
Chapter 3 Installing the <strong>ASA</strong> <strong>5580</strong><br />
Note<br />
You can use a 180/rollover or straight-through patch cable to connect the<br />
appliance to a port on a terminal server with RJ-45 or hydra cable<br />
assembly connections. Connect the appropriate cable from the Console<br />
port on the appliance to a port on the terminal server.<br />
Figure 3-14<br />
Connection of the RJ-45 to a DB-9 Adapter<br />
PS1<br />
1<br />
RJ-45 to<br />
DB-9 serial cable<br />
(null-modem)<br />
RJ-45 to<br />
DB-9 adapter<br />
Reserved<br />
for<br />
Future Use<br />
CONSOLE MGMT 0/0<br />
Console<br />
port (DB-9)<br />
250084<br />
Computer serial port<br />
DB-9<br />
Step 4<br />
Connect to copper and fiber Ethernet ports to be used for network connections.<br />
Copper and Fiber Ethernet ports are available in slots 3 to slot 8.<br />
3-22<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
78-18101-01
Chapter 3 Installing the <strong>ASA</strong> <strong>5580</strong><br />
Connecting Interface Cables<br />
By default, the <strong>ASA</strong> <strong>5580</strong> ships with slot 3 through slot 8 available. You can<br />
purchase bundles for the I/O adapter options. See Optimizing Performance in<br />
Chapter 2, “Maximizing Throughput on the <strong>ASA</strong> <strong>5580</strong>”.<br />
a. Connect one end of an Ethernet cable to an Ethernet port in slots 3 through 8,<br />
as shown in Figure 3-15.<br />
Figure 3-15<br />
Copper Ethernet or a Fiber Ethernet Interface<br />
Reserved<br />
Interface<br />
expansion slots<br />
Reserved<br />
PS2<br />
PCI-E x4 PCI-E x8 PCI-E x4 PCI-E x8 PCI-E x4 PCI-X 100 MHz<br />
9 8 7 6 5 4 3 2 1<br />
PS1<br />
UID CONSOLE MGMT0/1 MGMT0/0 1<br />
241234<br />
Multi-mode fiber cable<br />
with LC connector<br />
RJ-45 to RJ-45<br />
Ethernet cable<br />
Step 5<br />
b. Connect the other end of the Ethernet cables to a network device, such as a<br />
router or switch.<br />
Install the electrical cables at the back of the adaptive security appliance. Attach<br />
the power cables and plug them in to a power source (we recommend a UPS), as<br />
shown in Figure 3-16.<br />
78-18101-01<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
3-23
UID<br />
9<br />
8<br />
7<br />
6<br />
5<br />
4<br />
3<br />
2<br />
1<br />
Reserved<br />
for<br />
Future Use<br />
1<br />
What to Do Next<br />
Chapter 3 Installing the <strong>ASA</strong> <strong>5580</strong><br />
Figure 3-16<br />
Electrical Cable Installation<br />
PCI-E x4 PCI-X 100 MHz<br />
4 3 2 1<br />
PS1<br />
Reserved<br />
for<br />
Future Use<br />
CONSOLE MGMT 0/0<br />
PS2 PS1<br />
PCI-E x4 PCI-E x8 PCI-E x4 PCI-E x8 PCI-E x4 PCI-X 100 MHz<br />
CONSOLE MGMT 0/0<br />
REAR<br />
201997<br />
Step 6<br />
Power on the chassis.<br />
What to Do Next<br />
Continue with Chapter 4, “Configuring the Adaptive Security Appliance.”<br />
3-24<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
78-18101-01
CHAPTER<br />
4<br />
Configuring the Adaptive Security<br />
Appliance<br />
This chapter describes the initial configuration of the adaptive security appliance.<br />
You can perform the configuration steps using either the browser-based <strong>Cisco</strong><br />
Adaptive Security Device Manager (ASDM) or the command-line interface<br />
(CLI). The procedures in this chapter describe how to configure the adaptive<br />
security appliance using ASDM.<br />
This chapter includes the following sections:<br />
• About the Factory Default Configuration, page 4-1<br />
• Using the CLI for Configuration, page 4-2<br />
• Using the Adaptive Security Device Manager for Configuration, page 4-2<br />
• Running the ASDM Startup Wizard, page 4-8<br />
• What to Do Next, page 4-9<br />
About the Factory Default Configuration<br />
<strong>Cisco</strong> adaptive security appliances are shipped with a factory-default configuration<br />
that enables quick startup. The default factory configuration for the <strong>ASA</strong> <strong>5580</strong><br />
adaptive security appliance configures the following:<br />
• The management interface, Management 0/0. If you did not set the IP address<br />
in the configure factory-default command, then the IP address and mask are<br />
192.168.1.1 and 255.255.255.0.<br />
78-18101-01<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
4-1
Using the CLI for Configuration<br />
Chapter 4<br />
Configuring the Adaptive Security Appliance<br />
• The DHCP server is enabled on the adaptive security appliance, so a PC<br />
connecting to the interface receives an address between 192.168.1.2 and<br />
192.168.1.254.<br />
• The HTTP server is enabled for ASDM and is accessible to users on the<br />
192.168.1.0 network.<br />
The configuration consists of the following commands:<br />
interface management 0/0<br />
ip address 192.168.1.1 255.255.255.0<br />
nameif management<br />
security-level 100<br />
no shutdown<br />
asdm logging informational 100<br />
asdm history enable<br />
http server enable<br />
http 192.168.1.0 255.255.255.0 management<br />
dhcpd address 192.168.1.2-192.168.1.254 management<br />
dhcpd lease 3600<br />
dhcpd ping_timeout 750<br />
dhcpd enable management<br />
Using the CLI for Configuration<br />
In addition to the ASDM web configuration tool, you can configure the adaptive<br />
security appliance by using the command-line interface.<br />
For step-by-step configuration procedures for all functional areas of the adaptive<br />
security appliance, see the <strong>Cisco</strong> Security Appliance Command Line<br />
Configuration <strong>Guide</strong>.<br />
Using the Adaptive Security Device Manager for<br />
Configuration<br />
The Adaptive Security Device Manager (ASDM) is a feature-rich graphical<br />
interface that allows you to manage and monitor the adaptive security appliance.<br />
The web-based design provides secure access so that you can connect to and<br />
manage the adaptive security appliance from any location by using a web browser.<br />
4-2<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
78-18101-01
Chapter 4<br />
Configuring the Adaptive Security Appliance<br />
Using the Adaptive Security Device Manager for Configuration<br />
In addition to complete configuration and management capability, ASDM<br />
features intelligent wizards to simplify and accelerate the deployment of the<br />
adaptive security appliance.<br />
This section includes the following topics:<br />
• Preparing to Use ASDM, page 4-3<br />
• Gathering Configuration Information for Initial Setup, page 4-4<br />
• Installing the ASDM Launcher, page 4-5<br />
• Starting ASDM with a Web Browser, page 4-7<br />
Preparing to Use ASDM<br />
Before you can use ASDM, perform the following steps:<br />
Step 1<br />
If you have not already done so, connect the Management 0/0 interface to a switch<br />
or hub by using the Ethernet cable. To this same switch, connect a PC for<br />
configuring the adaptive security appliance.<br />
78-18101-01<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
4-3
Using the Adaptive Security Device Manager for Configuration<br />
Chapter 4<br />
Configuring the Adaptive Security Appliance<br />
Step 2<br />
Configure your PC to use DHCP (to receive an IP address automatically from the<br />
adaptive security appliance), which enables the PC to communicate with the<br />
adaptive security appliance and the Internet as well as to run ASDM for<br />
configuration and management tasks.<br />
Alternatively, you can assign a static IP address to your PC by selecting an address<br />
in the 192.168.1.0 subnet. (Valid addresses are 192.168.1.2 through<br />
192.168.1.254, with a mask of 255.255.255.0 and default route of 192.168.1.1.)<br />
When you connect other devices to any of the inside ports, make sure that they do<br />
not have the same IP address.<br />
Note<br />
The Management 0/0 interface of the adaptive security appliance is<br />
assigned 192.168.1.1 by default, so this address is unavailable.<br />
Step 3<br />
Check the LINK LED on the Management 0/0 interface.<br />
When a connection is established, the LINK LED interface on the adaptive<br />
security appliance and the corresponding LINK LED on the switch or hub turn<br />
solid green.<br />
Gathering Configuration Information for Initial Setup<br />
Gather the following information to be used with the ASDM Startup Wizard:<br />
• A unique hostname to identify the adaptive security appliance on your<br />
network.<br />
• The domain name.<br />
• The IP addresses of your outside interface, inside interface, and any other<br />
interfaces to be configured.<br />
• IP addresses for hosts that should have administrative access to this device<br />
using HTTPS for ASDM, SSH, or Telnet.<br />
• The privileged mode password for administrative access.<br />
• The IP addresses to use for NAT or PAT address translation, if any.<br />
• The IP address range for the DHCP server.<br />
• The IP address for the WINS server.<br />
4-4<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
78-18101-01
Chapter 4<br />
Configuring the Adaptive Security Appliance<br />
Using the Adaptive Security Device Manager for Configuration<br />
• Static routes to be configured.<br />
• If you want to create a DMZ, you must create a third VLAN and assign ports<br />
to that VLAN. (By default, there are two VLANs configured.)<br />
• Interface configuration information: whether traffic is permitted between<br />
interfaces at the same security level, and whether traffic is permitted between<br />
hosts on the same interface.<br />
• If you are configuring an Easy VPN hardware client, the IP addresses of<br />
primary and secondary Easy VPN servers; whether the client is to run in<br />
client or network extension mode; and user and group login credentials to<br />
match those configured on the primary and secondary Easy VPN servers.<br />
Installing the ASDM Launcher<br />
You can launch ASDM in either of two ways: by downloading the ASDM<br />
Launcher software so that ASDM runs locally on your PC, or by enabling Java and<br />
JavaScript in your web browser and accessing ASDM remotely from your PC.<br />
This procedure describes how to set up your system to run ASDM locally.<br />
To install the ASDM Launcher, perform the following steps:<br />
Step 1<br />
On the PC connected to the switch or hub, launch an Internet browser.<br />
a. In the address field of the browser, enter this URL: https://192.168.1.1/admin<br />
Note<br />
The adaptive security appliancee ships with a default IP address of<br />
192.168.1.1. Remember to add the “s” in “https” or the connection fails.<br />
HTTPS (HTTP over SSL) provides a secure connection between your<br />
browser and the adaptive security appliance.<br />
The <strong>Cisco</strong> ASDM splash screen appears.<br />
b. Click Install ASDM Launcher and Run ASDM.<br />
c. In the dialog box that requires a username and password, leave both fields<br />
empty. Click OK.<br />
78-18101-01<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
4-5
Using the Adaptive Security Device Manager for Configuration<br />
Chapter 4<br />
Configuring the Adaptive Security Appliance<br />
Step 2<br />
Step 3<br />
d. Click Yes to accept the certificates. Click Yes for all subsequent<br />
authentication and certificate dialog boxes.<br />
e. When the File Download dialog box opens, click Open to run the installation<br />
program directly. It is not necessary to save the installation software to your<br />
hard drive.<br />
f. When the InstallShield Wizard appears, follow the instructions to install the<br />
ASDM Launcher software.<br />
From your desktop, start the <strong>Cisco</strong> ASDM Launcher software.<br />
A dialog box appears.<br />
Enter the IP address or the hostname of your adaptive security appliance.<br />
Step 4<br />
Leave the Username and Password fields blank.<br />
Note<br />
By default, there is no Username and Password set for the <strong>Cisco</strong> ASDM<br />
Launcher.<br />
Step 5<br />
Step 6<br />
Click OK.<br />
If you receive a security warning containing a request to accept a certificate, click<br />
Yes.<br />
The adaptive security appliance checks to see if there is updated software and if<br />
so, downloads it automatically.<br />
4-6<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
78-18101-01
Chapter 4<br />
Configuring the Adaptive Security Appliance<br />
Using the Adaptive Security Device Manager for Configuration<br />
The main ASDM window appears.<br />
Starting ASDM with a Web Browser<br />
To run ASDM in a web browser, enter the factory default IP address in the address<br />
field: https://192.168.1.1/admin/.<br />
Note<br />
Remember to add the “s” in “https” or the connection fails. HTTPS (HTTP over<br />
SSL) provides a secure connection between your browser and the adaptive<br />
security appliance.<br />
78-18101-01<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
4-7
Running the ASDM Startup Wizard<br />
Chapter 4<br />
Configuring the Adaptive Security Appliance<br />
The Main ASDM window appears.<br />
Running the ASDM Startup Wizard<br />
ASDM includes a Startup Wizard to simplify the initial configuration of your<br />
adaptive security appliance. With a few steps, the Startup Wizard enables you to<br />
configure the adaptive security appliance so that it allows packets to flow securely<br />
between the inside network and the outside network.<br />
To use the Startup Wizard to set up a basic configuration for the adaptive security<br />
appliance, perform the following steps:<br />
Step 1<br />
Step 2<br />
From the Wizards menu at the top of the ASDM window, choose Startup Wizard.<br />
Follow the instructions in the Startup Wizard to set up your adaptive security<br />
appliance.<br />
For information about any field in the Startup Wizard, click Help at the bottom of<br />
the window.<br />
Note<br />
If you get an error requesting a DES license or a 3DES-AES license, see<br />
Appendix A, “Obtaining a 3DES/AES License” for information.<br />
Note<br />
Based on your network security policy, you should also consider configuring the<br />
adaptive security appliance to deny all ICMP traffic through the outside interface<br />
or any other interface that is necessary. You can configure this access control<br />
policy using ASDM. From the ASDM main page, click Configuration ><br />
Properties > ICMP Rules. Add an entry for the outside interface. Set the IP<br />
address to 0.0.0.0, the netmask to 0.0.0.0, and Action to deny.<br />
4-8<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
78-18101-01
Chapter 4<br />
Configuring the Adaptive Security Appliance<br />
What to Do Next<br />
What to Do Next<br />
Configure the adaptive security appliance for your deployment using one or more<br />
of the following chapters:<br />
To Do This...<br />
Configure the adaptive security appliance for SSL<br />
VPN connections using software clients<br />
Configure the adaptive security appliance for SSL<br />
VPN connections using a web browser<br />
Configure the adaptive security appliance for<br />
site-to-site VPN<br />
Configure the adaptive security appliance for<br />
remote-access VPN<br />
See...<br />
Chapter 5, “Scenario: Configuring Connections for a<br />
<strong>Cisco</strong> AnyConnect VPN Client”<br />
Chapter 6, “Scenario: SSL VPN Clientless<br />
Connections”<br />
Chapter 7, “Scenario: Site-to-Site VPN<br />
Configuration”<br />
Chapter 8, “Scenario: IPsec Remote-Access VPN<br />
Configuration”<br />
78-18101-01<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
4-9
What to Do Next<br />
Chapter 4<br />
Configuring the Adaptive Security Appliance<br />
4-10<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
78-18101-01
CHAPTER<br />
5<br />
Scenario: Configuring Connections for<br />
a <strong>Cisco</strong> AnyConnect VPN Client<br />
This chapter describes how to configure the adaptive security appliance so that<br />
remote users can establish SSL connections using a <strong>Cisco</strong> AnyConnect VPN<br />
Client.<br />
This chapter includes the following sections:<br />
• About SSL VPN Client Connections, page 5-1<br />
• Obtaining the <strong>Cisco</strong> AnyConnect VPN Client Software, page 5-2<br />
• Example Topology Using AnyConnect SSL VPN Clients, page 5-3<br />
• Implementing the <strong>Cisco</strong> SSL VPN Scenario, page 5-3<br />
• What to Do Next, page 5-14<br />
About SSL VPN Client Connections<br />
With an SSL VPN client setup, remote users do not need to install a software<br />
client before attempting to establish a connection. Instead, remote users enter the<br />
IP address or DNS name of a <strong>Cisco</strong> SSL VPN interface in their browser. The<br />
browser connects to that interface and displays the SSL VPN login screen. If the<br />
user successfully authenticates and the adaptive security appliance identifies the<br />
user as requiring the client, it pushes the client that matches the operating system<br />
of the remote computer.<br />
78-18101-01<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
5-1
Chapter 5 Scenario: Configuring Connections for a <strong>Cisco</strong> AnyConnect VPN Client<br />
Obtaining the <strong>Cisco</strong> AnyConnect VPN Client Software<br />
Note<br />
Administrative rights are required the first time the <strong>Cisco</strong> AnyConnect VPN<br />
Client is installed or downloaded.<br />
After downloading, the client installs and configures itself and then establishes a<br />
secure SSL connection. When the connection terminates, the client software<br />
either remains or uninstalls itself, depending on how you configure the adaptive<br />
security appliance.<br />
If a remote user has previously established an SSL VPN connection and the client<br />
software is not instructed to uninstall itself, when the user authenticates, the<br />
adaptive security appliance examines the client version and upgrades if it<br />
necessary.<br />
Obtaining the <strong>Cisco</strong> AnyConnect VPN Client<br />
Software<br />
The adaptive security appliance obtains the AnyConnect VPN Client software<br />
from the <strong>Cisco</strong> website. This chapter provides instructions for configuring the<br />
SSL VPN using a configuration Wizard. You can download the <strong>Cisco</strong> SSL VPN<br />
software during the configuration process.<br />
Users can download the AnyConnect VPN Client from the adaptive security<br />
appliance, or it can be installed manually on the remote PC by the system<br />
administrator. For more information about installing the client software manually,<br />
see the <strong>Cisco</strong> AnyConnect VPN Client Administrator <strong>Guide</strong>.<br />
The adaptive security appliance pushes the client software based on the group<br />
policy or username attributes of the user establishing the connection. You can<br />
configure the adaptive security appliance to automatically push the client each<br />
time the user establishes a connection, or you can configure it to prompt the<br />
remote user to specify whether to download the client. In the latter case, if the user<br />
does not respond, you can configure the adaptive security appliance either to push<br />
the client after a timeout period or present the SSL VPN login screen.<br />
5-2<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
78-18101-01
Chapter 5<br />
Scenario: Configuring Connections for a <strong>Cisco</strong> AnyConnect VPN Client<br />
Example Topology Using AnyConnect SSL VPN Clients<br />
Example Topology Using AnyConnect SSL VPN<br />
Clients<br />
Figure 5-1 shows an adaptive security appliance configured to accept requests for<br />
and establish SSL connections from clients running the AnyConnect SSL VPN<br />
software. The adaptive security appliance can support connections to both clients<br />
running the AnyConnect VPN software and browser-based clients.<br />
Figure 5-1<br />
Network Layout for SSL VPN Scenario<br />
DNS Server<br />
10.10.10.163<br />
Security<br />
Appliance<br />
AnyConnect VPN client Client<br />
(user 1)<br />
Internal<br />
network<br />
Inside<br />
10.10.10.0<br />
Outside<br />
Internet<br />
AnyConnect VPN client Client<br />
(user 2)<br />
WINS Server<br />
10.10.10.133<br />
Hardware Browser-based client<br />
(user client 3)<br />
132209<br />
Implementing the <strong>Cisco</strong> SSL VPN Scenario<br />
This section describes how to configure the adaptive security appliance to accept<br />
<strong>Cisco</strong> AnyConnect SSL VPN connections. Values for example configuration<br />
settings are taken from the SSL VPN scenario illustrated in Figure 5-1.<br />
This section includes the following topics:<br />
• Information to Have Available, page 5-4<br />
• Starting ASDM, page 5-5<br />
78-18101-01<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
5-3
Chapter 5<br />
Implementing the <strong>Cisco</strong> SSL VPN Scenario<br />
Scenario: Configuring Connections for a <strong>Cisco</strong> AnyConnect VPN Client<br />
• Configuring the <strong>ASA</strong> <strong>5580</strong> for the <strong>Cisco</strong> AnyConnect VPN Client, page 5-6<br />
• Specifying the SSL VPN Interface, page 5-7<br />
• Specifying a User Authentication Method, page 5-8<br />
• Specifying a Group Policy, page 5-10<br />
• Configuring the <strong>Cisco</strong> AnyConnect VPN Client, page 5-11<br />
• Verifying the Remote-Access VPN Configuration, page 5-13<br />
Information to Have Available<br />
Before you begin configuring the adaptive security appliance to accept<br />
AnyConnect SSL VPN connections, make sure that you have the following<br />
information available:<br />
• Name of the interface on the adaptive security appliance to which remote<br />
users will connect.<br />
• Digital certificate<br />
The <strong>ASA</strong> <strong>5580</strong> generates a self-signed certificate by default. However, for<br />
enhanced security you may want to purchase a publicly trusted SSL VPN<br />
certificate before putting the system in a production environment.<br />
• Range of IP addresses to be used in an IP pool. These addresses are assigned<br />
to SSL AnyConnect VPN clients as they are successfully connected.<br />
• List of users to be used in creating a local authentication database, unless you<br />
are using a AAA server for authentication.<br />
• If you are using a AAA server for authentication:<br />
– AAA Server group name<br />
– Authentication protocol to be used (TACACS, SDI, NT, Kerberos,<br />
LDAP)<br />
– IP address of the AAA server<br />
– Interface of the adaptive security appliance to be used for authentication<br />
– Secret key to authenticate with the AAA server<br />
5-4<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
78-18101-01
Chapter 5<br />
Scenario: Configuring Connections for a <strong>Cisco</strong> AnyConnect VPN Client<br />
Implementing the <strong>Cisco</strong> SSL VPN Scenario<br />
Starting ASDM<br />
This section describes how to start ASDM using the ASDM Launcher software.<br />
If you have not installed the ASDM Launcher software, see Installing the ASDM<br />
Launcher, page 4-5.<br />
If you prefer to access ASDM directly with a web browser or using Java, see<br />
Starting ASDM with a Web Browser, page 4-7.<br />
To start ASDM using the ASDM Launcher software, perform the following steps:<br />
Step 1<br />
Step 2<br />
From your desktop, start the <strong>Cisco</strong> ASDM Launcher software.<br />
A dialog box appears.<br />
Enter the IP address or the hostname of your adaptive security appliance.<br />
Step 3<br />
Leave the Username and Password fields blank.<br />
Note<br />
By default, there is no Username and Password set for the <strong>Cisco</strong> ASDM<br />
Launcher.<br />
Step 4<br />
Step 5<br />
Click OK.<br />
If you receive a security warning containing a request to accept a certificate, click<br />
Yes.<br />
78-18101-01<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
5-5
Chapter 5<br />
Implementing the <strong>Cisco</strong> SSL VPN Scenario<br />
Scenario: Configuring Connections for a <strong>Cisco</strong> AnyConnect VPN Client<br />
The <strong>ASA</strong> <strong>5580</strong> checks to see if there is updated software and if so, downloads it<br />
automatically.<br />
The main ASDM window appears.<br />
Configuring the <strong>ASA</strong> <strong>5580</strong> for the <strong>Cisco</strong> AnyConnect VPN Client<br />
To begin the configuration process, perform the following steps:<br />
Step 1<br />
In the main ASDM window, choose SSL VPN Wizard from the Wizards<br />
drop-down menu. The SSL VPN Wizard Step 1 screen appears.<br />
5-6<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
78-18101-01
Chapter 5<br />
Scenario: Configuring Connections for a <strong>Cisco</strong> AnyConnect VPN Client<br />
Implementing the <strong>Cisco</strong> SSL VPN Scenario<br />
Step 2<br />
In Step 1 of the SSL VPN Wizard, perform the following steps:<br />
a. Check the <strong>Cisco</strong> SSL VPN Client check box.<br />
b. Click Next to continue.<br />
Specifying the SSL VPN Interface<br />
In Step 2 of the SSL VPN Wizard, perform the following steps:<br />
Step 1<br />
Step 2<br />
Specify a Connection Name to which remote users connect.<br />
From the SSL VPN Interface drop-down list, choose the interface to which remote<br />
users connect. When users establish a connection to this interface, the SSL VPN<br />
portal page is displayed.<br />
78-18101-01<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
5-7
Chapter 5<br />
Implementing the <strong>Cisco</strong> SSL VPN Scenario<br />
Scenario: Configuring Connections for a <strong>Cisco</strong> AnyConnect VPN Client<br />
Step 3<br />
From the Certificate drop-down list, choose the certificate the <strong>ASA</strong> <strong>5580</strong> sends to<br />
the remote user to authenticate the <strong>ASA</strong> <strong>5580</strong>.<br />
Step 4<br />
Click Next to continue.<br />
Specifying a User Authentication Method<br />
In Step 3 of the SSL VPN Wizard, perform the following steps:<br />
Step 1<br />
If you are using a AAA server or server group for authentication, perform the<br />
following steps:<br />
a. Click the Authenticate using a AAA server group radio button.<br />
5-8<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
78-18101-01
Chapter 5<br />
Scenario: Configuring Connections for a <strong>Cisco</strong> AnyConnect VPN Client<br />
Implementing the <strong>Cisco</strong> SSL VPN Scenario<br />
b. Specify a AAA Server Group Name.<br />
c. You can either choose an existing AAA server group name from the drop<br />
down list, or you can create a new server group by clicking New.<br />
To create a new AAA Server Group, click New. The New Authentication<br />
Server Group dialog box appears.<br />
In this dialog box, specify the following:<br />
– A server group name<br />
– The Authentication Protocol to be used (RADIUS, TACACS, SDI, NT,<br />
Kerberos, LDAP)<br />
– IP address of the AAA server<br />
– Interface of the adaptive security appliance<br />
– Secret key to be used when communicating with the AAA server<br />
Click OK.<br />
78-18101-01<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
5-9
Chapter 5<br />
Implementing the <strong>Cisco</strong> SSL VPN Scenario<br />
Scenario: Configuring Connections for a <strong>Cisco</strong> AnyConnect VPN Client<br />
Step 2<br />
Step 3<br />
If you have chosen to authenticate users with the local user database, you can<br />
create new user accounts here. You can also add users later using the ASDM<br />
configuration interface.<br />
To add a new user, enter a username and password, and then click Add.<br />
When you have finished adding new users, click Next to continue.<br />
Specifying a Group Policy<br />
In Step 4 of the SSL VPN Wizard, specify a group policy by performing the<br />
following steps:<br />
Step 1<br />
Step 2<br />
Click the Create new group policy radio button and specify a group name.<br />
OR<br />
Click the Modify an existing group policy radio button and choose a group from<br />
the drop-down list.<br />
5-10<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
78-18101-01
Chapter 5<br />
Scenario: Configuring Connections for a <strong>Cisco</strong> AnyConnect VPN Client<br />
Implementing the <strong>Cisco</strong> SSL VPN Scenario<br />
Step 3<br />
Step 4<br />
Click Next.<br />
Step 5 of the SSL VPN Wizard appears. This step does not apply to AnyConnect<br />
VPN client connections, so click Next again.<br />
Configuring the <strong>Cisco</strong> AnyConnect VPN Client<br />
For remote clients to gain access to your network with a <strong>Cisco</strong> AnyConnect VPN<br />
Client, you must configure a pool of IP addresses that can be assigned to remote<br />
VPN clients as they are successfully connected. In this scenario, the pool is<br />
configured to use the range of IP addresses 209.165.201.1–209.166.201.20.<br />
You must also specify the location of the AnyConnect software so that the<br />
adaptive security appliance can push it to users.<br />
In Step 6 of the SSL VPN Wizard, perform the following steps:<br />
78-18101-01<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
5-11
Chapter 5<br />
Implementing the <strong>Cisco</strong> SSL VPN Scenario<br />
Scenario: Configuring Connections for a <strong>Cisco</strong> AnyConnect VPN Client<br />
Step 1<br />
To use a preconfigured address pool, choose the name of the pool from the IP<br />
Address Pool drop-down list.<br />
Step 2<br />
Step 3<br />
Step 4<br />
Alternatively, click New to create a new address pool.<br />
Specify the location of the AnyConnect VPN Client software image.<br />
To obtain the most current version of the software, click Download Latest<br />
AnyConnect VPN Client from cisco.com. This downloads the client software to<br />
your PC.<br />
Click Next to continue.<br />
5-12<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
78-18101-01
Chapter 5<br />
Scenario: Configuring Connections for a <strong>Cisco</strong> AnyConnect VPN Client<br />
Implementing the <strong>Cisco</strong> SSL VPN Scenario<br />
Verifying the Remote-Access VPN Configuration<br />
In Step 7 of the SSL VPN Wizard, review the configuration settings to ensure that<br />
they are correct. The displayed configuration should be similar to the following:<br />
If you are satisfied with the configuration, click Finish to apply the changes to the<br />
adaptive security appliance.<br />
If you want the configuration changes to be saved to the startup configuration so<br />
that they are applied the next time the device starts, from the File menu, click<br />
Save. Alternatively, ASDM prompts you to save the configuration changes<br />
permanently when you exit ASDM.<br />
If you do not save the configuration changes, the old configuration takes effect the<br />
next time the device starts.<br />
78-18101-01<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
5-13
What to Do Next<br />
Chapter 5<br />
Scenario: Configuring Connections for a <strong>Cisco</strong> AnyConnect VPN Client<br />
What to Do Next<br />
If you are deploying the adaptive security appliance solely to support AnyConnect<br />
VPN connections, you have completed the initial configuration. In addition, you<br />
may want to consider performing some of the following steps:<br />
To Do This...<br />
Refine configuration and configure<br />
optional and advanced features<br />
Learn about daily operations<br />
See...<br />
<strong>Cisco</strong> Security Appliance Command<br />
Line Configuration <strong>Guide</strong><br />
<strong>Cisco</strong> Security Appliance Command<br />
Reference<br />
<strong>Cisco</strong> Security Appliance Logging<br />
Configuration and System Log<br />
Messages<br />
You can configure the adaptive security appliance for more than one application.<br />
The following sections provide configuration procedures for other common<br />
applications of the adaptive security appliance:<br />
To Do This...<br />
Configure clientless (browser-based)<br />
SSL VPN<br />
Configure a site-to-site VPN<br />
Configure a remote-access IPSec VPN<br />
See...<br />
Chapter 6, “Scenario: SSL VPN<br />
Clientless Connections”<br />
Chapter 7, “Scenario: Site-to-Site<br />
VPN Configuration”<br />
Chapter 8, “Scenario: IPsec<br />
Remote-Access VPN Configuration”<br />
5-14<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
78-18101-01
CHAPTER<br />
6<br />
Scenario: SSL VPN Clientless<br />
Connections<br />
This chapter describes how to use the adaptive security appliance to accept remote<br />
access SSL VPN connections without a software client (clientless). A clientless<br />
SSL VPN allows you to create secure connections, or tunnels, across the Internet<br />
using a web browser. This provides secure access to off-site users without a<br />
software client or hardware client.<br />
This chapter includes the following sections:<br />
• About Clientless SSL VPN, page 6-1<br />
• Example Network with Browser-Based SSL VPN Access, page 6-3<br />
• Implementing the Clientless SSL VPN Scenario, page 6-4<br />
• What to Do Next, page 6-18<br />
About Clientless SSL VPN<br />
Clientless SSL VPN connections enable secure and easy access to a broad range<br />
of web resources and web-enabled applications from almost any computer on the<br />
Internet. They include the following:<br />
• Internal websites<br />
• Web-enabled applications<br />
• NT/Active Directory and FTP file shares<br />
• E-mail proxies, including POP3S, IMAP4S, and SMTPS<br />
78-18101-01<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
6-1
About Clientless SSL VPN<br />
Chapter 6<br />
Scenario: SSL VPN Clientless Connections<br />
• MS Outlook Web Access<br />
• MAPI<br />
• Application Access (that is, port forwarding for access to other TCP-based<br />
applications) and Smart Tunnels<br />
Clientless SSL VPN uses the Secure Sockets Layer Protocol (SSL) and its<br />
successor, Transport Layer Security (TLSI), to provide the secure connection<br />
between remote users and specific, supported internal resources that you<br />
configure at a central site. The adaptive security appliance recognizes connections<br />
that need to be proxied, and the HTTP server interacts with the authentication<br />
subsystem to authenticate users.<br />
The network administrator provides access to resources by users of Clientless<br />
SSL VPN on a group basis.<br />
Security Considerations for Clientless SSL VPN Connections<br />
Clientless SSL VPN connections on the adaptive security appliance differ from<br />
remote access IPsec connections, particularly with respect to how they interact<br />
with SSL-enabled servers and the validation of certificates.<br />
In a Clientless SSL VPN connection, the adaptive security appliance acts as a<br />
proxy between the end user web browser and target web servers. When a user<br />
connects to an SSL-enabled web server, the adaptive security appliance<br />
establishes a secure connection and validates the server SSL certificate. The end<br />
user browser never receives the presented certificate, so therefore it cannot<br />
examine and validate the certificate.<br />
The current implementation of Clientless SSL VPN on the adaptive security<br />
appliance does not permit communication with sites that present expired<br />
certificates. The adaptive security appliance does not perform trusted CA<br />
certificate validation. Therefore, users cannot analyze the certificate an<br />
SSL-enabled web-server presents before communicating with it.<br />
To minimize the risks involved with SSL certificates:<br />
1. Configure a group policy that consists of all users who need Clientless SSL<br />
VPN access and enable it only for that group policy.<br />
6-2<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
78-18101-01
Chapter 6<br />
Scenario: SSL VPN Clientless Connections<br />
Example Network with Browser-Based SSL VPN Access<br />
2. Limit Internet access for Clientless SSL VPN users, for example, by limiting<br />
which resources a user can access using a clientless SSL VPN connection. To<br />
do this, you could restrict the user from accessing general content on the<br />
Internet. Then, you could configure links to specific targets on the internal<br />
network that you want users of Clientless SSL VPN to be able to access.<br />
3. Educate users. If an SSL-enabled site is not inside the private network, users<br />
should not visit this site over a Clientless SSL VPN connection. They should<br />
open a separate browser window to visit such sites, and use that browser to<br />
view the presented certificate.<br />
The adaptive security appliance does not support the following features for<br />
Clientless SSL VPN connections:<br />
• NAT, reducing the need for globally unique IP addresses.<br />
• PAT, permitting multiple outbound sessions appear to originate from a single<br />
IP address.<br />
Example Network with Browser-Based SSL VPN<br />
Access<br />
Figure 6-1 shows the adaptive security appliance configured to accept SSL VPN<br />
connection requests over the Internet using a web browser.<br />
78-18101-01<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
6-3
Implementing the Clientless SSL VPN Scenario<br />
Chapter 6<br />
Scenario: SSL VPN Clientless Connections<br />
Figure 6-1<br />
Network Layout for SSL VPN Connections<br />
DNS Server<br />
10.10.10.163<br />
Security<br />
Appliance<br />
<strong>Cisco</strong> AnyConnect<br />
VPN Client<br />
Internal<br />
network<br />
Inside<br />
10.10.10.0<br />
Outside<br />
Internet<br />
<strong>Cisco</strong> AnyConnect<br />
VPN Client<br />
WINS Server<br />
10.10.10.133<br />
Clientless VPN access<br />
191803<br />
Implementing the Clientless SSL VPN Scenario<br />
This section describes how to configure the adaptive security appliance to accept<br />
SSL VPN requests from web browsers. Values for example configuration settings<br />
are taken from the remote-access scenario illustrated in Figure 6-1.<br />
This section includes the following topics:<br />
• Information to Have Available, page 6-5<br />
• Starting ASDM, page 6-5<br />
• Configuring the <strong>ASA</strong> <strong>5580</strong> for Browser-Based SSL VPN Connections,<br />
page 6-7<br />
• Specifying the SSL VPN Interface, page 6-8<br />
• Specifying a User Authentication Method, page 6-10<br />
• Specifying a Group Policy, page 6-11<br />
• Creating a Bookmark List for Remote Users, page 6-12<br />
• Verifying the Configuration, page 6-16<br />
6-4<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
78-18101-01
Chapter 6<br />
Scenario: SSL VPN Clientless Connections<br />
Implementing the Clientless SSL VPN Scenario<br />
Information to Have Available<br />
Before you begin configuring the adaptive security appliance to accept remote<br />
access IPsec VPN connections, make sure that you have the following information<br />
available:<br />
• Name of the interface on the adaptive security appliance to which remote<br />
users will connect. When remote users connect to this interface, the SSL VPN<br />
Portal Page is displayed.<br />
• Digital certificate<br />
The <strong>ASA</strong> <strong>5580</strong> generates a self-signed certificate by default. For improved<br />
security and to eliminate browser warning messages, you may want to<br />
purchase a publicly trusted SSL VPN certificate before putting the system in<br />
a production environment.<br />
• List of users to be used in creating a local authentication database, unless you<br />
are using a AAA server for authentication.<br />
• If you are using a AAA server for authentication, the AAA Server Group<br />
Name<br />
• The following information about group policies on the AAA server:<br />
– Server group name<br />
– Authentication protocol to be used (TACACS, SDI, NT, Kerberos,<br />
LDAP)<br />
– IP address of the AAA server<br />
– Interface of the adaptive security appliance to be used for authentication<br />
– Secret key to authenticate with the AAA server<br />
• List of internal websites or pages you want to appear on the SSL VPN portal<br />
page when remote users establish a connection. Because this is the page users<br />
see when they first establish a connection, it should contain the most<br />
frequently used targets for remote users.<br />
Starting ASDM<br />
This section describes how to start ASDM using the ASDM Launcher software.<br />
If you have not installed the ASDM Launcher software, see Installing the ASDM<br />
Launcher, page 4-5.<br />
78-18101-01<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
6-5
Implementing the Clientless SSL VPN Scenario<br />
Chapter 6<br />
Scenario: SSL VPN Clientless Connections<br />
If you prefer to access ASDM directly with a web browser or using Java, see<br />
Starting ASDM with a Web Browser, page 4-7.<br />
To start ASDM using the ASDM Launcher software, perform the following steps:<br />
Step 1<br />
From your desktop, start the <strong>Cisco</strong> ASDM Launcher software.<br />
A dialog box appears.<br />
Step 2<br />
Step 3<br />
Enter the IP address or the host name of your adaptive security appliance.<br />
Leave the Username and Password fields blank.<br />
Note<br />
By default, there is no Username and Password set for the <strong>Cisco</strong> ASDM<br />
Launcher.<br />
Step 4<br />
Step 5<br />
Click OK.<br />
If you receive a security warning containing a request to accept a certificate, click<br />
Yes.<br />
The <strong>ASA</strong> <strong>5580</strong> checks to see if there is updated software and if so, downloads it<br />
automatically.<br />
The main ASDM window appears.<br />
6-6<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
78-18101-01
Chapter 6<br />
Scenario: SSL VPN Clientless Connections<br />
Implementing the Clientless SSL VPN Scenario<br />
Configuring the <strong>ASA</strong> <strong>5580</strong> for Browser-Based SSL VPN<br />
Connections<br />
To begin the process for configuring a browser-based SSL VPN, perform the<br />
following steps:<br />
Step 1<br />
In the main ASDM window, choose SSL VPN Wizard from the Wizards<br />
drop-down menu. The SSL VPN Wizard Step 1 screen appears.<br />
78-18101-01<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
6-7
Implementing the Clientless SSL VPN Scenario<br />
Chapter 6<br />
Scenario: SSL VPN Clientless Connections<br />
Step 2<br />
In Step 1 of the SSL VPN Wizard, perform the following steps:<br />
a. Check the Browser-based SSL VPN (Web VPN) check box.<br />
b. Click Next to continue.<br />
Specifying the SSL VPN Interface<br />
In Step 2 of the SSL VPN Wizard, perform the following steps:<br />
Step 1<br />
Specify a Connection Name to which remote users connect.<br />
6-8<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
78-18101-01
Chapter 6<br />
Scenario: SSL VPN Clientless Connections<br />
Implementing the Clientless SSL VPN Scenario<br />
Step 2<br />
Step 3<br />
From the SSL VPN Interface drop-down list, choose the interface to which remote<br />
users connect. When users establish a connection to this interface, the SSL VPN<br />
portal page is displayed.<br />
From the Certificate drop-down list, choose the certificate the <strong>ASA</strong> <strong>5580</strong> sends to<br />
the remote user to authenticate the <strong>ASA</strong> <strong>5580</strong>.<br />
Note<br />
The <strong>ASA</strong> <strong>5580</strong> generates a self-signed certificate by default. For improved<br />
security and to eliminate browser warning messages, you may want to purchase a<br />
publicly trusted SSL VPN certificate before putting the system in a production<br />
environment.<br />
78-18101-01<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
6-9
Implementing the Clientless SSL VPN Scenario<br />
Chapter 6<br />
Scenario: SSL VPN Clientless Connections<br />
Specifying a User Authentication Method<br />
Users can be authenticated either by a local authentication database or by using<br />
external authentication, authorization, and accounting (AAA) servers (RADIUS,<br />
TACACS+, SDI, NT, Kerberos, and LDAP).<br />
In Step 3 of the SSL VPN Wizard, perform the following steps:<br />
Step 1<br />
If you are using a AAA server or server group for authentication, perform the<br />
following steps:<br />
a. Click the Authenticate using a AAA server group radio button.<br />
b. Choose a preconfigured server group from the Authenticate using an AAA<br />
server group drop-down list, or click New to add a new AAA server group.<br />
To create a new AAA Server Group, click New. The New Authentication<br />
Server Group dialog box appears.<br />
In this dialog box, specify the following:<br />
6-10<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
78-18101-01
Chapter 6<br />
Scenario: SSL VPN Clientless Connections<br />
Implementing the Clientless SSL VPN Scenario<br />
Step 2<br />
Step 3<br />
– A server group name<br />
– The Authentication Protocol to be used (TACACS, SDI, NT, Kerberos,<br />
LDAP)<br />
– IP address of the AAA server<br />
– Interface of the adaptive security appliance<br />
– Secret key to be used when communicating with the AAA server<br />
Click OK.<br />
If you have chosen to authenticate users with the local user database, you can<br />
create new user accounts here. You can also add users later using the ASDM<br />
configuration interface.<br />
To add a new user, enter a username and password, and then click Add.<br />
When you have finished adding new users, click Next to continue.<br />
Specifying a Group Policy<br />
In Step 4 of the SSL VPN Wizard, specify a group policy by performing the<br />
following steps:<br />
Step 1<br />
Click the Create new group policy radio button and specify a group name.<br />
OR<br />
Click the Modify an existing group policy radio button and choose a group from<br />
the drop-down list.<br />
78-18101-01<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
6-11
Implementing the Clientless SSL VPN Scenario<br />
Chapter 6<br />
Scenario: SSL VPN Clientless Connections<br />
Step 2<br />
Click Next.<br />
Creating a Bookmark List for Remote Users<br />
You can create a portal page, a special web page that comes up when<br />
browser-based clients establish VPN connections to the adaptive security<br />
appliance, by specifying a list of URLs to which users should have easy access.<br />
In Step 5 of the SSL VPN Wizard, specify URLs to appear on the VPN portal page<br />
by performing the following steps:<br />
Step 1<br />
To specify an existing bookmark list, choose the Bookmark List name from the<br />
drop-down list.<br />
6-12<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
78-18101-01
Chapter 6<br />
Scenario: SSL VPN Clientless Connections<br />
Implementing the Clientless SSL VPN Scenario<br />
To add a new list or edit an existing list, click Manage.<br />
The Configure GUI Customization Objects dialog box appears.<br />
78-18101-01<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
6-13
Implementing the Clientless SSL VPN Scenario<br />
Chapter 6<br />
Scenario: SSL VPN Clientless Connections<br />
Step 2<br />
To create a new bookmark list, click Add.<br />
To edit an existing bookmark list, choose the list and click Edit.<br />
The Add Bookmark List dialog box appears.<br />
6-14<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
78-18101-01
Chapter 6<br />
Scenario: SSL VPN Clientless Connections<br />
Implementing the Clientless SSL VPN Scenario<br />
Step 3<br />
Step 4<br />
In the URL List Name field, specify a name for the list of bookmarks you are<br />
creating. This is used as the title for your VPN portal page.<br />
Click Add to add a new URL to the bookmark list.<br />
The Add Bookmark Entry dialog box appears.<br />
Step 5<br />
Step 6<br />
Step 7<br />
Specify a title for the list in the Bookmark Title field.<br />
From the URL Value drop-down list, choose the type of URL you are specifying.<br />
For example, choose http, https, ftp, and so on.<br />
Then, specify the complete URL for the page.<br />
Click OK to return to the Add Bookmark List dialog box.<br />
78-18101-01<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
6-15
Implementing the Clientless SSL VPN Scenario<br />
Chapter 6<br />
Scenario: SSL VPN Clientless Connections<br />
Step 8<br />
Step 9<br />
Step 10<br />
Step 11<br />
If you are finished adding bookmark lists, click OK to return to the Configure<br />
GUI Customization Objects dialog box.<br />
When you are finished adding and editing bookmark lists, click OK to return to<br />
Step 5 of the SSL VPN Wizard.<br />
Choose the name of the bookmark list for this VPN group from the Bookmark List<br />
drop-down list.<br />
Click Next to continue.<br />
Verifying the Configuration<br />
In Step 6 of the SSL VPN Wizard, review the configuration settings to ensure that<br />
they are correct. The configuration that appears should be similar to the following:<br />
6-16<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
78-18101-01
Chapter 6<br />
Scenario: SSL VPN Clientless Connections<br />
Implementing the Clientless SSL VPN Scenario<br />
If you are satisfied with the configuration, click Finish to apply the changes to the<br />
adaptive security appliance.<br />
If you want the configuration changes to be saved to the startup configuration so<br />
that they are applied the next time the device starts, from the File menu, click<br />
Save. Alternatively, ASDM prompts you to save the configuration changes<br />
permanently when you exit ASDM.<br />
If you do not save the configuration changes, the old configuration takes effect the<br />
next time the device starts.<br />
78-18101-01<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
6-17
What to Do Next<br />
Chapter 6<br />
Scenario: SSL VPN Clientless Connections<br />
What to Do Next<br />
If you are deploying the adaptive security appliance solely in a clientless SSL<br />
VPN environment, you have completed the initial configuration. In addition, you<br />
may want to consider performing some of the following steps:<br />
To Do This...<br />
Refine configuration and configure<br />
optional and advanced features<br />
Learn about daily operations<br />
See...<br />
<strong>Cisco</strong> Security Appliance Command<br />
Line Configuration <strong>Guide</strong><br />
<strong>Cisco</strong> Security Appliance Command<br />
Reference<br />
<strong>Cisco</strong> Security Appliance Logging<br />
Configuration and System Log<br />
Messages<br />
You can configure the adaptive security appliance for more than one application.<br />
The following sections provide configuration procedures for other common<br />
applications of the adaptive security appliance:<br />
To Do This...<br />
Configure an AnyConnect VPN<br />
Configure a site-to-site VPN<br />
Configure a remote-access VPN<br />
See...<br />
Chapter 5, “Scenario: Configuring<br />
Connections for a <strong>Cisco</strong> AnyConnect<br />
VPN Client”<br />
Chapter 7, “Scenario: Site-to-Site<br />
VPN Configuration”<br />
Chapter 8, “Scenario: IPsec<br />
Remote-Access VPN Configuration”<br />
6-18<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
78-18101-01
CHAPTER<br />
7<br />
Scenario: Site-to-Site VPN<br />
Configuration<br />
This chapter describes how to use the adaptive security appliance to create a<br />
site-to-site VPN.<br />
Site-to-site VPN features provided by the adaptive security appliance enable<br />
businesses to extend their networks across low-cost public Internet connections to<br />
business partners and remote offices worldwide while maintaining their network<br />
security. A VPN connection enables you to send data from one location to another<br />
over a secure connection, or tunnel, first by authenticating both ends of the<br />
connection, and then by automatically encrypting all data sent between the two<br />
sites.<br />
This chapter includes the following sections:<br />
• Example Site-to-Site VPN Network Topology, page 7-1<br />
• Implementing the Site-to-Site Scenario, page 7-2<br />
• Configuring the Other Side of the VPN Connection, page 7-13<br />
• What to Do Next, page 7-13<br />
Example Site-to-Site VPN Network Topology<br />
Figure 7-1 shows an example VPN tunnel between two adaptive security<br />
appliances.<br />
78-18101-01<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
7-1
UID<br />
<strong>Cisco</strong> <strong>ASA</strong> 580 SERIES<br />
Adaptive Security A pliance<br />
SYSTEM<br />
PWR STATUS<br />
MGMT 0<br />
MGMT 1<br />
UID<br />
<strong>Cisco</strong> <strong>ASA</strong> 580 SERIES<br />
Adaptive Security A pliance<br />
SYSTEM<br />
PWR STATUS<br />
MGMT 0<br />
MGMT 1<br />
Implementing the Site-to-Site Scenario<br />
Chapter 7<br />
Scenario: Site-to-Site VPN Configuration<br />
Figure 7-1<br />
Network Layout for Site-to-Site VPN Configuration Scenario<br />
ISP Router<br />
Internet<br />
Site A<br />
Inside<br />
10.10.10.0<br />
Outside<br />
209.165.200.226<br />
1 2 3 4 5 6 7 8<br />
Adaptive Security<br />
Appliance 1<br />
Site B<br />
Inside<br />
10.20.20.0<br />
Outside<br />
209.165.200.236<br />
1 2 3 4 5 6 7 8<br />
Adaptive Security<br />
Appliance 2<br />
Printer<br />
Personal<br />
computers<br />
Printer<br />
Personal<br />
computers<br />
241238<br />
Creating a VPN site-to-site deployment such as the one in Figure 7-1 requires you<br />
to configure two adaptive security appliances, one on each side of the connection.<br />
Implementing the Site-to-Site Scenario<br />
This section describes how to configure the adaptive security appliance in a<br />
site-to-site VPN deployment, using example parameters from the remote-access<br />
scenario shown in Figure 7-1.<br />
This section includes the following topics:<br />
• Information to Have Available, page 7-3<br />
• Configuring the Site-to-Site VPN, page 7-3<br />
7-2<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
78-18101-01
Chapter 7<br />
Scenario: Site-to-Site VPN Configuration<br />
Implementing the Site-to-Site Scenario<br />
Information to Have Available<br />
Before you begin the configuration procedure, obtain the following information:<br />
• IP address of the remote adaptive security appliance peer<br />
• IP addresses of local hosts and networks permitted to use the tunnel to<br />
communicate with resources at the remote site<br />
• IP addresses of remote hosts and networks permitted to use the tunnel to<br />
communicate with local resources<br />
Configuring the Site-to-Site VPN<br />
This section describes how to use the ASDM VPN Wizard to configure the<br />
adaptive security appliance for a site-to-site VPN.<br />
This section includes the following topics:<br />
• Starting ASDM, page 7-3<br />
• Configuring the Adaptive Security Appliance at the Local Site, page 7-5<br />
• Providing Information About the Remote VPN Peer, page 7-6<br />
• Configuring the IKE Policy, page 7-8<br />
• Configuring IPsec Encryption and Authentication Parameters, page 7-9<br />
• Specifying Hosts and Networks, page 7-10<br />
• Viewing VPN Attributes and Completing the Wizard, page 7-12<br />
The following sections provide detailed instructions for how to perform each<br />
configuration step.<br />
Starting ASDM<br />
This section describes how to start ASDM using the ASDM Launcher software.<br />
If you have not installed the ASDM Launcher software, see Installing the ASDM<br />
Launcher, page 4-5.<br />
If you prefer to access ASDM directly with a web browser or using Java, see<br />
Starting ASDM with a Web Browser, page 4-7.<br />
78-18101-01<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
7-3
Implementing the Site-to-Site Scenario<br />
Chapter 7<br />
Scenario: Site-to-Site VPN Configuration<br />
To start ASDM using the ASDM Launcher software, perform the following steps:<br />
Step 1<br />
From your desktop, start the <strong>Cisco</strong> ASDM Launcher software.<br />
A dialog box appears.<br />
Step 2<br />
Step 3<br />
Enter the IP address or the hostname of your adaptive security appliance.<br />
Leave the Username and Password fields blank.<br />
Note<br />
By default, there is no Username and Password set for the <strong>Cisco</strong> ASDM<br />
Launcher.<br />
Step 4<br />
Step 5<br />
Click OK.<br />
If you receive a security warning containing a request to accept a certificate, click<br />
Yes.<br />
The <strong>ASA</strong> <strong>5580</strong> checks to see if there is updated software and if so, downloads it<br />
automatically.<br />
The main ASDM window appears.<br />
7-4<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
78-18101-01
Chapter 7<br />
Scenario: Site-to-Site VPN Configuration<br />
Implementing the Site-to-Site Scenario<br />
Configuring the Adaptive Security Appliance at the Local Site<br />
Note<br />
The adaptive security appliance at the first site is referred to as Security<br />
Appliance 1 in this scenario.<br />
To configure the Security Appliance 1, perform the following steps:<br />
Step 1<br />
In the main ASDM window, choose the IPsec VPN Wizard option from the<br />
Wizards drop-down menu. ASDM opens the first VPN Wizard screen.<br />
In Step 1 of the VPN Wizard, perform the following steps:<br />
a. In the VPN Tunnel Type area, click the Site-to-Site radio button.<br />
78-18101-01<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
7-5
Implementing the Site-to-Site Scenario<br />
Chapter 7<br />
Scenario: Site-to-Site VPN Configuration<br />
Note<br />
The Site-to-Site VPN option connects two IPsec security gateways,<br />
which can include adaptive security appliances, VPN concentrators,<br />
or other devices that support site-to-site IPsec connectivity.<br />
b. From the VPN tunnel Interface drop-down list, choose Outside as the enabled<br />
interface for the current VPN tunnel.<br />
c. Click Next to continue.<br />
Providing Information About the Remote VPN Peer<br />
The VPN peer is the system on the other end of the connection that you are<br />
configuring, usually at a remote site.<br />
7-6<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
78-18101-01
Chapter 7<br />
Scenario: Site-to-Site VPN Configuration<br />
Implementing the Site-to-Site Scenario<br />
Note In this scenario, the remote VPN peer is referred to as Security Appliance 2.<br />
In Step 2 of the VPN Wizard, perform the following steps:<br />
Step 1<br />
Step 2<br />
Enter the Peer IP Address (the IP address of Security Appliance 2, in this scenario<br />
209.165.200.236) and a Tunnel Group Name (for example “<strong>Cisco</strong>”).<br />
Specify the type of authentication that you want to use by selecting one of the<br />
following authentication methods:<br />
• To use a static preshared key for authentication, click the Pre-Shared Key<br />
radio button and enter a preshared key (for example, “<strong>Cisco</strong>”). This key is<br />
used for IPsec negotiations between the adaptive security appliances.<br />
Note<br />
When using preshared key authentication, the Tunnel Group Name<br />
must be the IP address of the peer.<br />
• To use digital certificates for authentication, click the Certificate radio<br />
button, choose the certificate signing algorithm from the Certificate Signing<br />
Algorithm drop-down list, and then choose a preconfigured trustpoint name<br />
from the Trustpoint Name drop-down list.<br />
If you want to use digital certificates for authentication but have not yet<br />
configured a trustpoint name, you can continue with the Wizard by using one<br />
of the other two options. You can revise the authentication configuration later<br />
using the standard ASDM screens.<br />
• Click the Challenge/Response Authentication radio button to use that<br />
method of authentication.<br />
78-18101-01<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
7-7
Implementing the Site-to-Site Scenario<br />
Chapter 7<br />
Scenario: Site-to-Site VPN Configuration<br />
Step 3<br />
Click Next to continue.<br />
Configuring the IKE Policy<br />
IKE is a negotiation protocol that includes an encryption method to protect data<br />
and ensure privacy; it also provides authentication to ensure the identity of the<br />
peers. In most cases, the ASDM default values are sufficient to establish secure<br />
VPN tunnels between two peers.<br />
In Step 3 of the VPN Wizard, perform the following steps:<br />
Step 1<br />
Click the Encryption (DES/3DES/AES), authentication algorithms (MD5/SHA),<br />
and the Diffie-Hellman group (1/2/5) used by the adaptive security appliance<br />
during an IKE security association.<br />
7-8<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
78-18101-01
Chapter 7<br />
Scenario: Site-to-Site VPN Configuration<br />
Implementing the Site-to-Site Scenario<br />
Note<br />
When configuring Security Appliance 2, enter the exact values for each<br />
of the options that you chose for Security Appliance 1. Encryption<br />
mismatches are a common cause of VPN tunnel failures and can slow<br />
down the process.<br />
Step 2<br />
Click Next to continue.<br />
Configuring IPsec Encryption and Authentication Parameters<br />
In Step 4 of the VPN Wizard, perform the following steps:<br />
78-18101-01<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
7-9
Implementing the Site-to-Site Scenario<br />
Chapter 7<br />
Scenario: Site-to-Site VPN Configuration<br />
Step 1<br />
Choose the encryption algorithm (DES/3DES/AES) from the Encryption<br />
drop-down list, and the authentication algorithm (MD5/SHA) from the<br />
Authentication drop-down list.<br />
Step 2<br />
Click Next to continue.<br />
Specifying Hosts and Networks<br />
Identify hosts and networks at the local site that are permitted to use this IPsec<br />
tunnel to communicate with hosts and networks on the other side of the tunnel.<br />
Specify hosts and networks that are permitted access to the tunnel by clicking<br />
Add or Delete. In the current scenario, traffic from Network A (10.10.10.0) is<br />
encrypted by Security Appliance 1 and transmitted through the VPN tunnel.<br />
7-10<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
78-18101-01
Chapter 7<br />
Scenario: Site-to-Site VPN Configuration<br />
Implementing the Site-to-Site Scenario<br />
In addition, identify hosts and networks at the remote site to be allowed to use this<br />
IPsec tunnel to access local hosts and networks. Add or remove hosts and<br />
networks dynamically by clicking Add or Delete respectively. In this scenario, for<br />
Security Appliance 1, the remote network is Network B (10.20.20.0), so traffic<br />
encrypted from this network is permitted through the tunnel.<br />
In Step 5 of the VPN Wizard, perform the following steps:<br />
Step 1<br />
Step 2<br />
Step 3<br />
In the Action area, click the Protect radio button or Do Not Protect radio button.<br />
Enter the IP address of local networks to be protected or not protected, or click<br />
the ellipsis (...) button to select from a list of hosts and networks.<br />
Enter the IP address of remote networks to be protected or not protected, or click<br />
the ellipsis (...) button to select from a list of hosts and networks.<br />
Step 4<br />
Click Next to continue.<br />
78-18101-01<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
7-11
Implementing the Site-to-Site Scenario<br />
Chapter 7<br />
Scenario: Site-to-Site VPN Configuration<br />
Viewing VPN Attributes and Completing the Wizard<br />
In Step 6 of the VPN Wizard, review the configuration list for the VPN tunnel you<br />
just created.<br />
If you are satisfied with the configuration, click Finish to apply the changes to the<br />
adaptive security appliance.<br />
If you want the configuration changes to be saved to the startup configuration so<br />
that they are applied the next time the device starts, from the File menu, click<br />
Save.<br />
Alternatively, ASDM prompts you to save the configuration changes permanently<br />
when you exit ASDM.<br />
If you do not save the configuration changes, the old configuration takes effect the<br />
next time the device starts.<br />
7-12<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
78-18101-01
Chapter 7<br />
Scenario: Site-to-Site VPN Configuration<br />
Configuring the Other Side of the VPN Connection<br />
This concludes the configuration process for Security Appliance 1.<br />
Configuring the Other Side of the VPN Connection<br />
You have just configured the local adaptive security appliance. Next, you need to<br />
configure the adaptive security appliance at the remote site.<br />
At the remote site, configure the second adaptive security appliance to serve as a<br />
VPN peer. Use the procedure you used to configure the local adaptive security<br />
appliance, starting with “Configuring the Adaptive Security Appliance at the<br />
Local Site” section on page 7-5 and finishing with “Viewing VPN Attributes and<br />
Completing the Wizard” section on page 7-12.<br />
Note<br />
When configuring Security Appliance 2, use the same values for each of the<br />
options that you selected for Security Appliance 1, with the exception of local<br />
hosts and networks. Mismatches are a common cause of VPN configuration<br />
failures.<br />
What to Do Next<br />
If you are deploying the adaptive security appliance only in a site-to-site VPN<br />
environment, then you have completed the initial configuration. In addition, you<br />
may want to consider performing some of the following steps:<br />
To Do This...<br />
Refine configuration and configure<br />
optional and advanced features<br />
Learn about daily operations<br />
See...<br />
<strong>Cisco</strong> Security Appliance Command<br />
Line Configuration <strong>Guide</strong><br />
<strong>Cisco</strong> Security Appliance Command<br />
Reference<br />
<strong>Cisco</strong> Security Appliance Logging<br />
Configuration and System Log<br />
Messages<br />
78-18101-01<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
7-13
What to Do Next<br />
Chapter 7<br />
Scenario: Site-to-Site VPN Configuration<br />
You can configure the adaptive security appliance for more than one application.<br />
The following sections provide configuration procedures for other common<br />
applications of the adaptive security appliance:<br />
To Do This...<br />
Configure an SSL VPN for the <strong>Cisco</strong><br />
AnyConnect software client<br />
Configure a clientless (browser-based)<br />
SSL VPN<br />
Configure a remote-access VPN<br />
See...<br />
Chapter 5, “Scenario: Configuring<br />
Connections for a <strong>Cisco</strong> AnyConnect<br />
VPN Client”<br />
Chapter 6, “Scenario: SSL VPN<br />
Clientless Connections”<br />
Chapter 8, “Scenario: IPsec<br />
Remote-Access VPN Configuration”<br />
7-14<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
78-18101-01
CHAPTER<br />
8<br />
Scenario: IPsec Remote-Access VPN<br />
Configuration<br />
This chapter describes how to use the adaptive security appliance to accept<br />
remote-access IPsec VPN connections. A remote-access VPN allows you to<br />
create secure connections, or tunnels, across the Internet, which provides secure<br />
access to off-site users. In this type of VPN configuration, remote users must be<br />
running the <strong>Cisco</strong> VPN client to connect to the adaptive security appliance.<br />
If you are implementing an Easy VPN solution, this chapter describes how to<br />
configure the Easy VPN server (sometimes called a headend device).<br />
This chapter includes the following sections:<br />
• Example IPsec Remote-Access VPN Network Topology, page 8-1<br />
• Implementing the IPsec Remote-Access VPN Scenario, page 8-2<br />
• What to Do Next, page 8-19<br />
Example IPsec Remote-Access VPN Network<br />
Topology<br />
Figure 8-1 shows an adaptive security appliance configured to accept requests<br />
from and establish IPsec connections with VPN clients, such as a <strong>Cisco</strong> Easy VPN<br />
software or hardware clients, over the Internet.<br />
78-18101-01<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
8-1
Implementing the IPsec Remote-Access VPN Scenario<br />
Chapter 8<br />
Scenario: IPsec Remote-Access VPN Configuration<br />
Figure 8-1<br />
Network Layout for Remote Access VPN Scenario<br />
DNS Server<br />
10.10.10.163<br />
Security<br />
Appliance<br />
VPN client<br />
(user 1)<br />
Internal<br />
network<br />
Inside<br />
10.10.10.0<br />
Outside<br />
Internet<br />
VPN client<br />
(user 2)<br />
WINS Server<br />
10.10.10.133<br />
Hardware client<br />
(user 3)<br />
132209<br />
Implementing the IPsec Remote-Access VPN<br />
Scenario<br />
This section describes how to configure the adaptive security appliance to accept<br />
IPsec VPN connections from remote clients and devices. If you are implementing<br />
an Easy VPN solution, this section describes how to configure an Easy VPN<br />
server (also known as a headend device).<br />
Values for example configuration settings are taken from the remote-access<br />
scenario illustrated in Figure 8-1.<br />
This section includes the following topics:<br />
• Information to Have Available, page 8-3<br />
• Starting ASDM, page 8-3<br />
• Configuring an IPsec Remote-Access VPN, page 8-5<br />
• Selecting VPN Client Types, page 8-6<br />
• Specifying the VPN Tunnel Group Name and Authentication Method,<br />
page 8-7<br />
8-2<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
78-18101-01
Chapter 8<br />
Scenario: IPsec Remote-Access VPN Configuration<br />
Implementing the IPsec Remote-Access VPN Scenario<br />
• Specifying a User Authentication Method, page 8-9<br />
• (Optional) Configuring User Accounts, page 8-10<br />
• Configuring Address Pools, page 8-11<br />
• Configuring Client Attributes, page 8-13<br />
• Configuring the IKE Policy, page 8-14<br />
• Configuring IPsec Encryption and Authentication Parameters, page 8-15<br />
• Specifying Address Translation Exception and Split Tunneling, page 8-16<br />
• Verifying the Remote-Access VPN Configuration, page 8-18<br />
Information to Have Available<br />
Before you begin configuring the adaptive security appliance to accept remote<br />
access IPsec VPN connections, make sure that you have the following information<br />
available:<br />
• Range of IP addresses to be used in an IP pool. These addresses are assigned<br />
to remote VPN clients as they are successfully connected.<br />
• List of users to be used in creating a local authentication database, unless you<br />
are using a AAA server for authentication.<br />
• Networking information to be used by remote clients when connecting to the<br />
VPN, including the following:<br />
– IP addresses for the primary and secondary DNS servers<br />
– IP addresses for the primary and secondary WINS servers<br />
– Default domain name<br />
– List of IP addresses for local hosts, groups, and networks that should be<br />
made accessible to authenticated remote clients<br />
Starting ASDM<br />
This section describes how to start ASDM using the ASDM Launcher software.<br />
If you have not installed the ASDM Launcher software, see Starting ASDM with<br />
a Web Browser, page 4-7.<br />
78-18101-01<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
8-3
Implementing the IPsec Remote-Access VPN Scenario<br />
Chapter 8<br />
Scenario: IPsec Remote-Access VPN Configuration<br />
If you prefer to access ASDM directly with a web browser or using Java, see<br />
Starting ASDM with a Web Browser, page 4-7.<br />
To start ASDM using the ASDM Launcher software, perform the following steps:<br />
Step 1<br />
From your desktop, start the <strong>Cisco</strong> ASDM Launcher software.<br />
A dialog box appears.<br />
Step 2<br />
Step 3<br />
Enter the IP address or the hostname of your adaptive security appliance.<br />
Leave the Username and Password fields blank.<br />
Note<br />
By default, there is no Username and Password set for the <strong>Cisco</strong> ASDM<br />
Launcher.<br />
Step 4<br />
Step 5<br />
Click OK.<br />
If you receive a security warning containing a request to accept a certificate, click<br />
Yes.<br />
The adaptive security appliance checks to see if there is updated software and if<br />
so, downloads it automatically.<br />
The main ASDM window appears.<br />
8-4<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
78-18101-01
Chapter 8<br />
Scenario: IPsec Remote-Access VPN Configuration<br />
Implementing the IPsec Remote-Access VPN Scenario<br />
Configuring an IPsec Remote-Access VPN<br />
To configure a remote-access VPN, perform the following steps:<br />
Step 1<br />
In the main ASDM window, choose IPsec VPN Wizard from the Wizards<br />
drop-down menu. The VPN Wizard Step 1 screen appears.<br />
78-18101-01<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
8-5
Implementing the IPsec Remote-Access VPN Scenario<br />
Chapter 8<br />
Scenario: IPsec Remote-Access VPN Configuration<br />
Step 2<br />
In Step 1 of the VPN Wizard, perform the following steps:<br />
a. Click the Remote Access radio button.<br />
b. From the drop-down list, choose Outside as the enabled interface for the<br />
incoming VPN tunnels.<br />
c. Click Next to continue.<br />
Selecting VPN Client Types<br />
In Step 2 of the VPN Wizard, perform the following steps:<br />
8-6<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
78-18101-01
Chapter 8<br />
Scenario: IPsec Remote-Access VPN Configuration<br />
Implementing the IPsec Remote-Access VPN Scenario<br />
Step 1<br />
Specify the type of VPN client that will enable remote users to connect to this<br />
adaptive security appliance. For this scenario, click the <strong>Cisco</strong> VPN Client radio<br />
button.<br />
You can also use any other <strong>Cisco</strong> Easy VPN remote product.<br />
Step 2<br />
Click Next to continue.<br />
Specifying the VPN Tunnel Group Name and Authentication<br />
Method<br />
In Step 3 of the VPN Wizard, perform the following steps:<br />
78-18101-01<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
8-7
Implementing the IPsec Remote-Access VPN Scenario<br />
Chapter 8<br />
Scenario: IPsec Remote-Access VPN Configuration<br />
Step 1<br />
Specify the type of authentication that you want to use by performing one of the<br />
following steps:<br />
• To use a static preshared key for authentication, click the Pre-Shared Key<br />
radio button and enter a preshared key (for example, “<strong>Cisco</strong>”). This key is<br />
used for IPsec negotiations.<br />
• To use digital certificates for authentication, click the Certificate radio<br />
button, choose the Certificate Signing Algorithm from the drop-down list,<br />
and then choose a preconfigured trustpoint name from the drop-down list.<br />
If you want to use digital certificates for authentication but have not yet<br />
configured a trustpoint name, you can continue with the Wizard by using one<br />
of the other two options. You can revise the authentication configuration later<br />
using the standard ASDM windows.<br />
• Click the Challenge/Response Authentication (CRACK) radio button to<br />
use that method of authentication.<br />
8-8<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
78-18101-01
Chapter 8<br />
Scenario: IPsec Remote-Access VPN Configuration<br />
Implementing the IPsec Remote-Access VPN Scenario<br />
Step 2<br />
Step 3<br />
Enter a Tunnel Group Name (such as “<strong>Cisco</strong>”) for the set of users that use<br />
common connection parameters and client attributes to connect to this security<br />
appliance.<br />
Click Next to continue.<br />
Specifying a User Authentication Method<br />
Users can be authenticated either by a local authentication database or by using<br />
external authentication, authorization, and accounting (AAA) servers (RADIUS,<br />
TACACS+, SDI, NT, Kerberos, and LDAP).<br />
In Step 4 of the VPN Wizard, perform the following steps:<br />
Step 1<br />
Step 2<br />
If you want to authenticate users by creating a user database on the security<br />
appliance, click the Authenticate Using the Local User Database radio button.<br />
If you want to authenticate users with an external AAA server group:<br />
a. Click the Authenticate Using an AAA Server Group radio button.<br />
b. Choose a preconfigured server group from the Authenticate using a AAA<br />
server group drop-down list, or click New to add a new AAA server group.<br />
78-18101-01<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
8-9
Implementing the IPsec Remote-Access VPN Scenario<br />
Chapter 8<br />
Scenario: IPsec Remote-Access VPN Configuration<br />
Step 3<br />
Click Next to continue.<br />
(Optional) Configuring User Accounts<br />
If you have chosen to authenticate users with the local user database, you can<br />
create new user accounts here. You can also add users later using the ASDM<br />
configuration interface.<br />
In Step 5 of the VPN Wizard, perform the following steps:<br />
Step 1<br />
To add a new user, enter a username and password, and then click Add.<br />
8-10<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
78-18101-01
Chapter 8<br />
Scenario: IPsec Remote-Access VPN Configuration<br />
Implementing the IPsec Remote-Access VPN Scenario<br />
Step 2<br />
When you have finished adding new users, click Next to continue.<br />
Configuring Address Pools<br />
For remote clients to gain access to your network, you must configure a pool of<br />
IP addresses that can be assigned to remote VPN clients as they are successfully<br />
connected. In this scenario, the pool is configured to use the range of IP addresses<br />
209.165.201.1–209.166.201.20.<br />
In Step 6 of the VPN Wizard, perform the following steps:<br />
Step 1<br />
Enter a pool name or choose a preconfigured pool from the Pool Name drop-down<br />
list.<br />
78-18101-01<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
8-11
Implementing the IPsec Remote-Access VPN Scenario<br />
Chapter 8<br />
Scenario: IPsec Remote-Access VPN Configuration<br />
Alternatively, click New to create a new address pool.<br />
The Add IP Pool dialog box appears.<br />
8-12<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
78-18101-01
Chapter 8<br />
Scenario: IPsec Remote-Access VPN Configuration<br />
Implementing the IPsec Remote-Access VPN Scenario<br />
Step 2<br />
Step 3<br />
In the Add IP Pool dialog box, do the following:<br />
a. Enter the Starting IP address and Ending IP address of the range.<br />
b. (Optional) Enter a subnet mask or choose a subnet mask for the range of IP<br />
addresses from the Subnet Mask drop-down list.<br />
c. Click OK to return to Step 6 of the VPN Wizard.<br />
Click Next to continue.<br />
Configuring Client Attributes<br />
To access your network, each remote access client needs basic network<br />
configuration information, such as which DNS and WINS servers to use and the<br />
default domain name. Instead of configuring each remote client individually, you<br />
can provide the client information to ASDM. The adaptive security appliance<br />
pushes this information to the remote client or Easy VPN hardware client when a<br />
connection is established.<br />
Make sure that you specify the correct values, or remote clients will not be able<br />
to use DNS names for resolution or use Windows networking.<br />
78-18101-01<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
8-13
Implementing the IPsec Remote-Access VPN Scenario<br />
Chapter 8<br />
Scenario: IPsec Remote-Access VPN Configuration<br />
In Step 7 of the VPN Wizard, perform the following steps:<br />
Step 1<br />
Enter the network configuration information to be pushed to remote clients.<br />
Step 2<br />
Click Next to continue.<br />
Configuring the IKE Policy<br />
IKE is a negotiation protocol that includes an encryption method to protect data<br />
and ensure privacy; it is also an authentication method to ensure the identity of the<br />
peers. In most cases, the ASDM default values are sufficient to establish secure<br />
VPN tunnels.<br />
8-14<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
78-18101-01
Chapter 8<br />
Scenario: IPsec Remote-Access VPN Configuration<br />
Implementing the IPsec Remote-Access VPN Scenario<br />
To specify the IKE policy in Step 8 of the VPN Wizard, perform the following<br />
steps:<br />
Step 1<br />
Choose the Encryption (DES/3DES/AES), authentication algorithms<br />
(MD5/SHA), and the Diffie-Hellman group (1/2/5/7) used by the adaptive<br />
security appliance during an IKE security association.<br />
Step 2<br />
Click Next to continue.<br />
Configuring IPsec Encryption and Authentication Parameters<br />
In Step 9 of the VPN Wizard, perform the following steps:<br />
78-18101-01<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
8-15
Implementing the IPsec Remote-Access VPN Scenario<br />
Chapter 8<br />
Scenario: IPsec Remote-Access VPN Configuration<br />
Step 1<br />
Click the Encryption algorithm (DES/3DES/AES) and authentication algorithm<br />
(MD5/SHA).<br />
Step 2<br />
Click Next to continue.<br />
Specifying Address Translation Exception and Split Tunneling<br />
Split tunneling enables remote-access IPsec clients to send packets conditionally<br />
over an IPsec tunnel in encrypted form or to a network interface in text form.<br />
The adaptive security appliance uses Network Address Translation (NAT) to<br />
prevent internal IP addresses from being exposed externally. You can make<br />
exceptions to this network protection by identifying local hosts and networks that<br />
should be made accessible to authenticated remote users.<br />
8-16<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
78-18101-01
Chapter 8<br />
Scenario: IPsec Remote-Access VPN Configuration<br />
Implementing the IPsec Remote-Access VPN Scenario<br />
In Step 10 of the VPN Wizard, perform the following steps:<br />
Step 1<br />
Specify hosts, groups, and networks that should be in the list of internal resources<br />
made accessible to authenticated remote users.<br />
To add or remove hosts, groups, and networks dynamically from the Selected<br />
Hosts/Networks area, click Add or Delete, respectively.<br />
Note<br />
Enable split tunneling by checking the Enable Split Tunneling check box<br />
at the bottom of the screen. Split tunneling allows traffic outside the<br />
configured networks to be sent out directly to the Internet instead of over<br />
the encrypted VPN tunnel.<br />
Step 2<br />
Click Next to continue.<br />
78-18101-01<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
8-17
Implementing the IPsec Remote-Access VPN Scenario<br />
Chapter 8<br />
Scenario: IPsec Remote-Access VPN Configuration<br />
Verifying the Remote-Access VPN Configuration<br />
In Step 11 of the VPN Wizard, review the configuration attributes for the new<br />
VPN tunnel. The displayed configuration should be similar to the following:<br />
If you are satisfied with the configuration, click Finish to apply the changes to the<br />
adaptive security appliance.<br />
If you want the configuration changes to be saved to the startup configuration so<br />
that they are applied the next time the device starts, from the File menu, click<br />
Save. Alternatively, ASDM prompts you to save the configuration changes<br />
permanently when you exit ASDM.<br />
8-18<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
78-18101-01
Chapter 8<br />
Scenario: IPsec Remote-Access VPN Configuration<br />
What to Do Next<br />
If you do not save the configuration changes, the old configuration takes effect the<br />
next time the device starts.<br />
What to Do Next<br />
To establish end-to-end, encrypted VPN tunnels for secure connectivity for<br />
mobile employees or teleworkers, obtain the <strong>Cisco</strong> VPN client software.<br />
For more information about the <strong>Cisco</strong> Systems VPN client, see the following<br />
URL: http://www.cisco.com/en/US/products/sw/secursw/ps2308/index.html.<br />
If you are deploying the adaptive security appliance solely in a remote-access<br />
VPN environment, you have completed the initial configuration. In addition, you<br />
may want to consider performing some of the following steps:<br />
To Do This...<br />
Refine configuration and configure<br />
optional and advanced features<br />
Learn about daily operations<br />
See...<br />
<strong>Cisco</strong> Security Appliance Command<br />
Line Configuration <strong>Guide</strong><br />
<strong>Cisco</strong> Security Appliance Command<br />
Reference<br />
<strong>Cisco</strong> Security Appliance Logging<br />
Configuration and System Log<br />
Messages<br />
You can configure the adaptive security appliance for more than one application.<br />
The following sections provide configuration procedures for other common<br />
applications of the adaptive security appliance:<br />
78-18101-01<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
8-19
What to Do Next<br />
Chapter 8<br />
Scenario: IPsec Remote-Access VPN Configuration<br />
To Do This...<br />
Configure an SSL VPN for the <strong>Cisco</strong><br />
AnyConnect software client<br />
Configure a clientless (browser-based)<br />
SSL VPN<br />
Configure a site-to-site VPN<br />
See...<br />
Chapter 5, “Scenario: Configuring<br />
Connections for a <strong>Cisco</strong> AnyConnect<br />
VPN Client”<br />
Chapter 5, “Scenario: Configuring<br />
Connections for a <strong>Cisco</strong> AnyConnect<br />
VPN Client”<br />
Chapter 7, “Scenario: Site-to-Site<br />
VPN Configuration”<br />
8-20<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
78-18101-01
APPENDIXA<br />
Obtaining a 3DES/AES License<br />
The <strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> comes with a DES license that provides encryption. You can<br />
obtain a 3DES/AES license that provides encryption technology to enable specific<br />
features, such as secure remote management (SSH, ASDM, and so on), site-to-site<br />
VPN, and remote access VPN. You need an encryption license key to enable this<br />
license.<br />
If you are a registered user of <strong>Cisco</strong>.com and would like to obtain a 3DES/AES<br />
encryption license, go to the following website:<br />
http://www.cisco.com/go/license<br />
If you are not a registered user of <strong>Cisco</strong>.com, go to the following website:<br />
https://tools.cisco.com/SWIFT/Licensing/RegistrationServlet<br />
Provide your name, e-mail address, and the serial number for the adaptive security<br />
appliance as it appears in the show version command output.<br />
Note<br />
You will receive the new activation key for your adaptive security appliance<br />
within two hours of requesting the license upgrade.<br />
For more information on activation key examples or upgrading software, see the<br />
<strong>Cisco</strong> Security Appliance Command Line Configuration <strong>Guide</strong>.<br />
To use the activation key, perform the following steps:<br />
78-18101-01<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
A-1
Appendix A<br />
Obtaining a 3DES/AES License<br />
Command<br />
Purpose<br />
Step 1 hostname# show version Shows the software release, hardware<br />
configuration, license key, and related<br />
uptime data.<br />
Step 2<br />
hostname# activation-key<br />
activation-5-tuple-key<br />
Updates the encryption activation key by<br />
replacing the activation-5-tuple-key<br />
variable with the activation key obtained<br />
with your new license. The<br />
activation-5-tuple-key variable is a<br />
five-element hexadecimal string with one<br />
space between each element. An example is<br />
0xe02888da 0x4ba7bed6 0xf1c123ae<br />
0xffd8624e 0x1234abcd. The “0x” is<br />
optional; all values are assumed to be<br />
hexadecimal.<br />
Note<br />
You only need to reload the<br />
configuration when you downgrade<br />
licensed features.<br />
A-2<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
78-18101-01
INDEX<br />
Numerics<br />
10-Gigabit Ethernet fiber interface card<br />
A<br />
described 2-5<br />
illustration 2-6<br />
<strong>ASA</strong> <strong>5580</strong><br />
C<br />
CA<br />
Ethernet port indicators 3-18<br />
I/O bridges 2-6<br />
installing in a rack 3-4<br />
power supply indicators 3-19<br />
certificate validation, not done in<br />
WebVPN 6-2<br />
Console port 3-21<br />
E<br />
G<br />
Gigabit Ethernet fiber interface card<br />
described 2-6<br />
Gigabit Ethernet interface card<br />
described 2-5<br />
illustration 2-5<br />
I<br />
I/O bridges 2-6<br />
Interface expansion slots 2-3<br />
M<br />
Management Port 3-20<br />
MGMT port 3-16, 3-20<br />
P<br />
Power supply indicators 3-19<br />
Ethernet port indicators 3-18<br />
78-18101-01<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
IN-1
Index<br />
R<br />
Rack installation<br />
<strong>ASA</strong> <strong>5580</strong> 3-4<br />
Rail system kit<br />
contents 3-2<br />
S<br />
security, WebVPN 6-2<br />
W<br />
WebVPN<br />
CA certificate validation not done 6-2<br />
security preautions 6-2<br />
unsupported features 6-3<br />
IN-2<br />
<strong>Cisco</strong> <strong>ASA</strong> <strong>5580</strong> <strong>Getting</strong> <strong>Started</strong> <strong>Guide</strong><br />
78-18101-01